On Mon, Sep 7, 2020 at 10:08 AM sysjaj <[email protected]> wrote:
> ... > > Alas I still could not login with active directory user accounts. Now I > get > this error in "syslog" and user authentication failure. > > Sep 7 09:42:31 guacamole tomcat9[854]: 09:42:31.059 [http-nio-8080-exec-8] > WARN o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for > user "jaytest": [CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu, > CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu, > CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu, > CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu, > CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu, > ...snip... > CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu, > CN=jaytest,OU=DomainUsers,DC=gccaz,DC=edu] > > Sep 7 09:42:31 guacamole tomcat9[854]: 09:42:31.062 [http-nio-8080-exec-8] > WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from > 140.198.201.101 for user "jaytest" failed. > Well, the reason things are failing in this case is that your LDAP server appears to be returning 121 duplicate results for a query that theoretically should return exactly one object. Guacamole is refusing to attempt authentication from that point as the result fails this sanity check. I'm not sure what could cause such behavior (perhaps something due to referrals?), however I would recommend manually executing a search against your LDAP server using the same details (same base DN, search for objects matching "(sAMAccountName=jaytest)", enable referral following) and see what you get back. Really, there *should* be just one object... It's worth disabling referrals to see whether that's what's happening here. If CN will also be usable, and all your users will be of the form "CN=username,OU=DomainUsers,DC=gccaz,DC=edu", you can work around this behavior for the time being by using "CN" for your username attribute, "OU=DomainUsers,DC=gccaz,DC=edu" for your base DN, and *not* using a search DN and password. This will cause Guacamole to map users to DNs directly rather than searching for them, but I think it is also important to investigate and explain the odd LDAP query behavior. - Mike
