*ldap-user-base-dn* is set to *OU=Guacusers,DC=corpserver,DC=**ca* on guacamole configuration.
The command you are executing is looking for users under *dc=corpserver,dc=ca *, can you execute the command changing the base DN, to confirm the users are on the right place ldapsearch -H ldap://dc1.corpserver.ca -x -W -D "[email protected]" -b "OU=Guacusers,DC=corpserver,DC=ca" "(sAMAccountName=adbind)" Em qua, 8 de set de 2021 10:34, Rick Davies <[email protected]> escreveu: > Good morning all, > > I am hoping someone can point me in the right direction as I am pulling my > hair, what little is left, out over an issue I am having with LDAP > authentication to an AD server. > > Guacamole version is 1.3.0 installed on an Ubuntu 20.04.3 Linux server. > Ive downloaded the LDAP extension and put the guacamole-auth-ldap-1.3.0.jar > in my /etc/guacamole/extensions directory. I also had the TOTP jar in there > as well and that is working just fine. For purposes of this exercise I > have disabled the TOTP extension right now though. > > DB authentication works just fine when I make it my primary authentication > method. > > This is the contents of my guacamole.properties file (sanitized): > <begin file> > # Auth provider class > auth-provider: > net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > > # MySQL properties > mysql-hostname: localhost > mysql-port: 3306 > mysql-database: guacamole_db > mysql-username: guacamole_user > mysql-password:<correct password > > # LDAP properties > ldap-hostname: dc1.corpserver.ca > ldap-port: 389 > ldap-user-base-dn: OU=Guacusers,DC=corpserver,DC=ca > ldap-username-attribute: sAMAccountName > ldap-config-base-dn: DC=corpserver,DC=ca > ldap-search-bind-dn: CN=adbind,OU=Service_Accounts,DC=corpserver,DC=ca > ldap-search-bind-password:<correct password> > ldap-encryption-method: none > <end file> > > Firewall on the AD server is, right now, disabled. > > I can run the following commands and results are returned properly from > the AD server: > ldapsearch -H ldap://dc1.corpserver.ca:389 -D > CN=adbind,OU=Service_Accounts,DC=corpserver,DC=ca -W -b DC=corpserver,DC=ca > & > ldapsearch -H ldap://dc1.corpserver.ca -x -W -D "[email protected]" -b > "dc=corpserver,dc=ca" "(sAMAccountName=adbind)" > > However, when I attempt to login to the Guacamole interface using an AD > account, I just get a denied login, almost as if it isnt even connecting > out to the AD server. > > I verified the account names were setup exactly in the DB as they would be > on the AD server to allow for the saving of the connections in the DB by > enabling the advanced properties and checking there that everything matched > the user name I created in the DB first. > > I feel like I am missing something but I have checked over the > documentation, looked online at other tutorials about implementing AD > connectivity and they all seem to be pretty much the same as what I have > done above. > > Tomcat is my app server. It is running at version 9.0.31 > > I am not seeing anything out of the ordinary in the logs, at least for > Tomcat or Guacamole, other than some multipathd errors which I'm not > concerned with at the moment. > > Am I missing something in the configuration that would be preventing my > guacamole server from authenticating to the AD server? > > I appreciate any thoughts, ideas or suggestions that may get me moving in > the right direction. > > Thank you, > Rick Davies > >
