Hi, I'm setting up guacamole for the first time, using the docker images, and have been very impressed with the whole application - thanks to all the dev team! The fact that this can work at all, in a web browser using HTML, still feels like black magic to me :)
However I'm trying to progress beyond using the 'guacadmin' user, so I'm trying to set up LDAP authentication (I'm using samba4 AD). My docker run command is pasted in below (sanitised); this works fine with the guacadmin user until I add the LDAP details, at which point whenever I try to log in with an LDAP user, I get the following in the guacamole logs (as viewed with '# docker logs -f gc-guacamole'): 3:06:51.671 [http-nio-8080-exec-3] ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: Error while query user DNs. 23:06:51.672 [http-nio-8080-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.5.10] for user "testuser" failed. I checked the LDAP bind details using ldapsearch; these worked fine. I then tried wireshark to capture the LDAP traffic to check what was actually being queried. Details of how I captured the traffic are below, in case this helps others in a similar situation, but I can confirm that guacamole asks for: baseObject: dc=mydomain,dc=org scope: wholeSubtree (2) Filter: (&(objectClass=*)(sAMAccountName=testuser)) and the LDAP server responds with: objectName: CN=testuser,OU=Users,OU=myou,DC=mydomain,DC=org attributes: 34 items [...] So, I'm not too sure why guacamole is reporting 'Error while query user DNs'. I've had a look through the code at https://github.com/apache/incubator-guacamole-client/blob/master/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java and I can't see what might be wrong. As far as I can tell, guacamole is asking for a user DN and one is being returned - so I'm not sure where the error is. Perhaps I've missed out some other LDAP setting? Can anyone point me in the right direction of what I could check next? This is my first time setting this up, so unfortunately I don't have a "known good" configuration yet :( Once this is working, I'll see if I can figure out a way to specify more than one LDAP server (I have multiple DCs), use groups, etc. etc.. - but first steps first :) Thanks, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein My docker command (Copied and pasted, but sanitised): # docker run --restart=always \ --name gc-guacamole --link gc-guacd:guacd \ -e MYSQL_HOSTNAME=192.168.2.3 \ -e MYSQL_DATABASE=guacamole_db \ -e MYSQL_USER=guacamole_user \ -e MYSQL_PASSWORD=thedatabasepassword \ -e LDAP_HOSTNAME=dc1.mydomain.org \ -e LDAP_USER_BASE_DN=dc=mydomain,dc=org \ -e LDAP_SEARCH_BIND_DN=cn=guacamole,cn=Users,dc=mydomain,dc=org \ -e LDAP_SEARCH_BIND_PASSWORD=thecorrectpassword \ -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \ -e LDAP_ENCRYPTION_METHOD=ssl \ -d -p 80:8080 glyptodon/guacamole docker exec -i gc-guacamole /bin/bash -c 'cat > /tmp/myca.crt' < /var/www/html/myca/mycaca.crt docker exec -i gc-guacamole keytool -importcert -file /tmp/mycaca.crt -noprompt -keystore /etc/ssl/certs/java/cacerts -storepass changeit My method of capturing SSL LDAP traffic from samba4 was roughly as follows: In the guacamole docker container, set up jSSLKeyLog, otherwise we are defeated by Perfect Forward Secrecy (samba4 now insists on strong SSL by default, post Badlock patches) [root@server ~]# docker exec -it gc-guacamole bash apt-get install vim wget "https://downloads.sourceforge.net/project/jsslkeylog/jsslkeylog-1.1/jSSLKeyLog-1.1.zip?r=http%3A%2F%2Fjsslkeylog.sourceforge.net%2F&ts=1491004374&use_mirror=netcologne"; unzip jSSLKeyLog-1.1.zip* vi /usr/local/tomcat/bin/catalina.sh Add: CATALINA_OPTS="-javaagent:/usr/local/tomcat/jSSLKeyLog.jar=/tmp/jsslkeylog.txt" Then restart the docker container, and [root@server ~]# docker exec -it gc-guacamole 'tail -F /tmp/jsslkeylog.txt' [ copy and paste the resultant output and save it to the laptop used for wireshark ] On the DC: user@dc1:~ $ sudo scp /usr/local/samba/private/tls/key.pem wiresharklaptop:tmp/ user@dc1:~ $ sudo tcpdump -n host 192.168.2.4 and port 636 -s16384 -wguacamole.cap [ capture relevant traffic ] user@dc1:~ $ scp guacamole.cap wiresharklaptop:tmp/
