Hi, I've set up Guacamole using docker containers using guacamole/guacamole, guacamole/guacd, nginx, and postgres:15.2-alpine and a docker compose yaml file. All appears to be working. I've configured Guacamole to use a local LDAP service, which is in development. For the most part, that's working OK, but if we try to authenticate using a google email address of the form ' [email protected]', the LDAP server never sees a request from Guacamole. The Guacamole logs show o.a.d.l.c.api.LdapNetworkConnection sending a BIND request, but it never appears at the LDAP server. For example, this is in the docker logs (set to DEBUG level):
guacamole_compose | 15:31:09.610 [http-nio-8080-exec-6] DEBUG o.a.g.a.ldap.LDAPConnectionService - Connection to LDAP server without encryption. . . . guacamole_compose | Message ID : 1 guacamole_compose | BindRequest guacamole_compose | Version : '3' guacamole_compose | Name : '[email protected] ,ou=users,dc=test' guacamole_compose | Simple authentication : '(omitted-for-safety)' guacamole_compose | ) There is then a whole load of output from o.a.d.api.asn1.ber.Asn1Decoder, and at some point this: guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TAG_STATE_START) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x0A) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED (0x0A) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_START) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x01) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_END) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x22) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01003_PARENT_LENGTH (TLV expected length stack : - 7 - 0 - null) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01006_LENGTH_DECODED (1) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (VALUE_STATE_START) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x22) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TLV_STATE_DONE) guacamole_compose | 15:31:09.617 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) guacamole_compose | 15:31:09.618 [NioProcessor-12] DEBUG o.a.d.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE (TLV0x0A(1)-TLV0x61(4)-TLV0x30(0)) guacamole_compose | 15:31:09.618 [NioProcessor-12] DEBUG o.a.d.a.a.b.grammar.AbstractGrammar - Transition from state <BIND_RESPONSE_STATE> to state <RESULT_CODE_BR_STATE>, tag <0x0A>, action : Store resultCode guacamole_compose | 15:31:09.618 [NioProcessor-12] DEBUG o.a.d.a.l.c.a.l.StoreResultCode - MSG_05109_RESULT_CODE_IS (INVALID_DN_SYNTAX) Before finally this: guacamole_compose | 15:31:09.618 [NioProcessor-12] DEBUG org.apache.directory.api.CODEC_LOG - MSG_14002_DECODED_LDAP_MESSAGE (MessageType : BIND_RESPONSE guacamole_compose | Message ID : 1 guacamole_compose | BindResponse guacamole_compose | Ldap Result guacamole_compose | Result code : (INVALID_DN_SYNTAX) invalidDNSyntax guacamole_compose | Matched Dn : '' guacamole_compose | Diagnostic message : '' guacamole_compose | ) Removing the '+' sign from the email address works fine, as does surrounding the entire email address with double-quotes. But of course those fail authentication at the LDAP end. LDAP appears to require certain characters to be escaped, including '+', which probably explains why it's failing. Is this a bug in the LDAP auth extension? Or some other configuration I'm missing? Thanks.
