Hi, ldap-encryption-metod - > ldap-encryption-method
пт, 31 янв. 2025 г. в 11:52, Krzysztof Gorny (Fujitsu) <[email protected]>: > I would like to ask you for help. In our environment We are installing > fresh *Guacamole Server in version 1.5.5* on latest *Ubuntu server 24.04*. > We are configuring Guacamole to use Posgresql database so we are installing > also *Posgresql in ver 42.7.5*. During configuration we are installing > also Java in below version: > openjdk version "21.0.5" 2024-10-15 > > OpenJDK Runtime Environment (build 21.0.5+11-Ubuntu-1ubuntu124.04) > > OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu124.04, mixed > mode, sharing) > Also We need authentication with our Active Directory. > We performed installation of *Tomcat9* and also > *Guacamole-auth-ldap-1.5.5*. After that we added our CA Certificate to > Java Trust store: > /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts > -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts > -storepass changeit -noprompt -alias RootCA -file > /etc/ssl/certs/RootCAcert.pem > > > and Ubuntu CA > cp RootCAcert.crt /usr/local/share/ca-certificates > > update-ca-certificates > We confirmed that certificate and port is working as we performed below > query and connection was successful: > ldapsearch -xLLLH ldaps://FQDNofLDAP:636 -D > "cn=AccountFromGuacamole.Properties" -w "CorrectPassword" -b > "ldap-user-base-dnEntry" -s sub "(sAMAccountName=UserFromAD)" > sAMAccountName -o tls_cacert=/etc/ssl/certs/RootCAcert.pem > > > After that we configured *guacamole.properties* with correct values as > follows: > ldap-hostname: FQDNofLDAP > > ldap-port: 636 > > ldap-encryption-metod: ssl > > ldap-user-base-dn: CorrectlyFulfilled > > ldap-username-attribute: sAMAccountName > > ldap-search-bind-dn: CorrectlyFulfilled > > ldap-search-bind-password: CorrectPassword > We perform restart of tomcat9 and restart of guacd. > Unfortunately after above actions we have problem. When we try to log in > to Guacamole using our AD credentials we receive error "Invalid Login" on > website. > In *catalina.out* log we see errors: > [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR > o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at > "FQDNofLDAP" as user "cn=AccountFromGuacamole.Properties" failed: > PROTOCOL_ERROR: The server will disconnect! > > [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR > o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN > "cn=AccountFromGuacamole.Properties" > > [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO > o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user > "UserFromAD" using LDAP server "FQDNofLDAP". Proceeding with next server... > > [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO > o.a.g.a.l.AuthenticationProviderService - User "testuser" did not > successfully authenticate against any LDAP server. > > [2025-01-30 08:55:15] [info] 08:55:15.644 [http-nio-8080-exec-1] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > 172.18.8.7 for user "UserFromAD" failed. > When we configured *logback.xml* to show Debug events we see also below > errors: > [2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG > o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED () > > [2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG > o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED () > > [2025-01-30 13:22:23] [info] 13:22:23.288 [http-nio-8080-exec-9] DEBUG > o.a.d.l.c.api.LdapNetworkConnection - MSG_04100_BIND_FAIL (MessageType : > BIND_RESPONSE > > [2025-01-30 13:22:23] [info] Message ID : -1 > > [2025-01-30 13:22:23] [info] BindResponse > > [2025-01-30 13:22:23] [info] Ldap Result > > [2025-01-30 13:22:23] [info] Result code : (PROTOCOL_ERROR) > protocolError > > [2025-01-30 13:22:23] [info] Matched Dn : 'null' > > [2025-01-30 13:22:23] [info] Diagnostic message : > 'PROTOCOL_ERROR: The server will disconnect!' > > [2025-01-30 13:22:23] [info] ) > > [2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] ERROR > o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at > "FQDNofLDAP" as user "CorrectlyFulfilledDN" failed: PROTOCOL_ERROR: The > server will disconnect! > > [2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] DEBUG > o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server. > > [2025-01-30 > 13:22:23] [info] > org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: > PROTOCOL_ERROR: The server will disconnect! > Problem is not occurring when we change in guacamole.properties below two > values: > ldap-port: 389 > > ldap-encryption-metod: none > > > Additionally in separate test we have tried use: > openssl s_client -connect FQDNofLDAP:636 -showcerts </dev/null 2>/dev/null > | openssl x509 -outform pem > RootCAcert2.pem > > cp RootCAcert2.pem /etc/ssl/certs/ RootCAcert2.pem > > /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts > -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts > -storepass changeit -noprompt -alias RootCA -file > /etc/ssl/certs/RootCAcert2.pem > > > but the certificate did not work too. Unfortunately we would like to use > LDAPS not only LDAP. In other programs connection is working without > problems. > > Could you be so kind and help identify a problem and find solution for > this? > > *Kind regards,* > > *Krzysztof Górny* >
