On Mon, Sep 7, 2020 at 7:28 PM sysjaj <[email protected]> wrote:
> Mike, > > Finally! I commented out the "ldap-follow-referrals:true" , rebooted the > server, and boom...BOTH my test AD accounts were able to authenticate and > log in to guacamole web interface! Man. This has been brutal. Thanks so > much > for sticking in there with me and answering all my back and forth issues. I > appreciate the help. NOW..on to the NEXT hard part..I'll try to tackle > getting guacamole to be HTTPS and also communicate with Active Directory > securely also over port 636 and not unsecured as now. (Sadly I predict I > will be posting to this mailing list in near future with issues about that > to..sigh.) But for now at least I know it CAN connect with AD credentials > for our end users and I can "close" this case. > > Regarding LDAP SSL/TLS, you'll need to make sure that your LDAP server certificates are trusted by Java. This usually means importing your LDAP root certificate authority into your Java cacerts file, but exactly where the cacerts file lives and how you go about that import can vary widely depending on whether you're using your distribution's Java install or a custom one. For HTTPS access to Guacamole, the easiest way to go about this is to proxy Tomcat behind a reverse proxy - most commonly either Apache httpd or Nginx. The Guacamole manual provides instructions for how to accomplish either of those; http://guacamole.apache.org/doc/gug/proxying-guacamole.html -Nick
