Take a look at your /var/log/messages (or equivalent for non-red-hat clones)
You probably have errors like Jun 29 14:03:01 apps9 server[23692]: org.apache.guacamole.GuacamoleServerException: ""none"" is not a valid value for property "ldap-encryption-method". Valid values are: "none", "ssl", "starttls" Jun 29 14:04:56 apps9 server[23765]: org.apache.guacamole.GuacamoleServerException: The DN ""dc=company,dc=country"" is invalid. Try removing the quotes around the values in the ldap-encryption-method: ldap-user-base-dn: fields. Our setup does not have them, and it authenticates correctly. If I add the quotes around them in the config file I generate the errors above. By the way, we also do use a user group filter which works correctly to limit the users who can login without causing any problems ldap-user-search-filter: (memberOf=cn=GuacamoleUsers,cn=Users,dc=company,dc=country) ________________________________ From: Tifaine RIVOIRE OPTI Sécurité <[email protected]> Sent: Thursday 29 June 2023 10:21 To: [email protected] <[email protected]> Subject: RE: Guacamole Extensions troubles Hi, After conducting further research following Nick's response, I discovered that I don't need a search filter, so I removed it. My goal is to allow all users in my Active Directory (AD) to connect to Guacamole. However, I'm still encountering issues with LDAP authentication. Specifically, when I attempt to connect with a user named l.coelho from my AD, the following logs are generated: 08:29:44.881 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "l.coelho" using LDAP server "192.168.87.20". Proceeding with next server... 08:29:44.882 [http-nio-8080-exec-2] INFO o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully authenticate against any LDAP server. 08:29:44.883 [http-nio-8080-exec-2] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" failed. I have already verified that I can successfully telnet to port 389 of my LDAP server, the encryption method is set correctly as "none," and I tested the LDAP connectivity using the ldapsearch command, which worked fine. Interestingly, my admin can connect to the AD without any issues, as confirmed by the successful log entries in my AD logs. I suspect that there might be a problem with my LDAP configuration in the Docker Compose file. Could you assist me in resolving this issue? My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan My admin in : OU=Users,DC=AMG,DC=lan # LDAP Connection LDAP_HOSTNAME: 192.168.87.20 LDAP_PORT: 389 LDAP_ENCRYPTION_METHOD: "none" # Mapping Guacamole usernames to LDAP DN’s LDAP_USER_BASE_DN: "dc=AMG,dc=LAN" # Indirect Username Mapping LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan LDAP_SEARCH_BIND_PASSWORD: password LDAP-USERNAME-ATTRIBUTE: sAMAccountName Best regards, T. RIVOIRE De : Nick Couchman <[email protected]> Envoyé : mercredi 14 juin 2023 14:46 À : [email protected] Objet : Re: Guacamole Extensions troubles On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité <[email protected]<mailto:[email protected]>> wrote: Hi, I’m testing Guacamole and I want to configure some extensions. I already set up guacamole with docker-compose and TOTP Extension. I have some troubles with the LDAP extension. In fact, I follow a lot of tutorials that show me how I can set up this one. I copy the .jar file in extension directory but after a restart I can’t log in with an AD user. I’va seen that a new directory called ldap was created (just like totp) with .jar & .ldif file. I also try to create a user with same AD name and blank password in guacamole, I make sure to select create connection permission. When I connect, Guacamole tell me wrong password but this is the correct one in my AD. I also see some forwarded communications (through firewall) from my Guacamole server to my AD. Can you help me to understand why I can’t log with an AD account ? You'll need to take a look at the logs for the Guacamole Client container and see what errors might be logged to the container. You may also have to change the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get more useful information out of the system. I do notice in the Docker Compose file you posted that you appear to be using a search filter that is supposed to make LDAP search nested AD groups. I'm not sure that this will actually work - I think there are some things that need to be implemented within Guacamole to support this, and I don't think those currently exist. You might, at the very least, try changing your search filter to something else - just create a single group with the users you want to have access and search that group, only - and see if that helps. -Nick IT Solutions Email Disclaimer - The information contained in this email message, including any files transmitted with it, is confidential and may be legally privileged. This e-mail is intended only for the personal attention of the stated addressee(s). Any access to this email, including any files transmitted with it, by any other person is unauthorised. If you are not an addressee, you must not disclose, copy, circulate or in any other way use or rely on the accuracy or completeness of the information contained in this email or any files transmitted with it. If you have received this email in error, please inform the sender immediately and delete it and all copies from your system. You may not forward this email without the permission of the authorised sender. The views expressed in this email are those of the author, and do not necessarily represent the views of IT Solutions or its affiliates. Internet communications are not secure and IT Solutions cannot therefore accept legal responsibility for the contents of this message nor for any damage caused by viruses. This email has been scanned at the originating end. For further information on IT Solutions visit https://www.itsolutions.ie
