On Tue, Oct 26, 2021 at 6:53 AM Golota S.V. <[email protected]> wrote:
> Hello, if my experience is useful, I did this: > LDAP_HOSTNAME: "ip_addr_dc" > LDAP_PORT: "389" > LDAP_ENCRYPTION_METHOD: "none" > LDAP_SEARCH_BIND_DN: "CN = guacamoleadmin, OU = domaim, DC = local" > LDAP_SEARCH_BIND_PASSWORD: "password" > LDAP_USER_BASE_DN: "OU = NET, DC = domain, DC = local" > LDAP_USERNAME_ATTRIBUTE: "samAccountName" > LDAP_GROUP_BASE_DN: "OU = Group, DC = domain, DC = local" > LDAP_GROUP_NAME_ATTRIBUTE: "cn" > LDAP_FOLLOW_REFERRALS: "false" > LDAP_USER_SEARCH_FILTER: "(& (objectClass = *) (memberOf = CN = > rdp-user, OU = Group, DC = domain, DC = local))" > Thanks for sharing this! Please note that this is the Docker configuration, so it will have to be translated to guacamole.properties format, or you'll have to enable environment variable loading. > 26.10.2021 05:31, Maik Heinelt пишет: > I am not getting LDAP authentication with my Windows 2019 server to work. > My guacamole.properties looks as following: > > guacd-hostname: localhost > guacd-port: 4822 > GUACAMOLE_HOME: /etc/guacamole > There's no point to this line, as this file should already be in GUACAMOLE_HOME. > > auth-provider: > net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > This line is completely unnecessary and does not add or change functionality. > > # LDAP properties > ldap-hostname: MyWin2019Server > ldap-port: 389 > ldap-encryption-method: none > ldap-username-attribute: sAMAccountName > ldap-user-base-dn: OU=Users,DC=mydomain,DC=local > ldap-search-bind-dn: > CN=Administrator,CN=Users,DC=mydomain,DC=local > ldap-search-bind-password: GoodPassword > > I would not use Administrator to do search binds - this is a needless compromise of your Admin credentials. You really only need an account that can actually bind to AD and then can locate the user, group, and/or connection objects that you want to query from Guacamole. > > I got the ldap-search-bind-dn from the server LDAP admin properties >> > Attribute Editor >> distinguishedName , so I am pretty sure this should be > correct. > That looks fine to me. > I am able to reach the LDAP without errors with using SSL or also no > encryption via Guacamole server command line using ldapsearch. > When looking at the catalina.out log file, there is no error or warning > shown when I try to authenticate via LDAP. > Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt > from 153.156.182.53 <callto:153.156.182.53> for user "MyUser" failed." > > The first thing I would check, here, is that you actually have the LDAP extension installed correctly? The JAR file should be under GUACAMOLE_HOME/extensions (/etc/guacamole/extensions, usually). After copying it to that directory make sure to reload the Guacamole web application by either re-deploying the WAR file or restarting Tomcat. You can check catalina.out and make sure that you're seeing a message when the WAR file is loaded that indicates that it has actually loaded the LDAP extension. After that you should try increasing the verbosity of logging for Guacamole Client: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging Note that, particularly for the LDAP extension, this will result in a lot of extra messages being logged, and you'll have to go through the logs and locate the login attempts and where the LDAP conversation is failing. -Nick >
