Having seen the latest release notes, I'm wondering if I should just use the new HTTP header based authentication (since I already have a working .htaccess file that works with LDAP).
Is there much that the built-in LDAP authentication would offer, that HTTP header authentication wouldn't? I understand that both of them will allow a valid user to log in to Guacamole; and if using HTTP header authentication this wouldn't give the opportunity to store connection information in LDAP - but is there fundamentally anything else? I don't know why I'm getting the errors I am seeing (probably my inexperience with guacamole configuration) but the HTTP header authentication would seem to be a good way round this.. Thanks, Jonathan On 1 April 2017 at 08:46, Jonathan Hunter <[email protected]> wrote: > Hi, > > I'm setting up guacamole for the first time, using the docker images, > and have been very impressed with the whole application - thanks to > all the dev team! The fact that this can work at all, in a web browser > using HTML, still feels like black magic to me :) > > However I'm trying to progress beyond using the 'guacadmin' user, so > I'm trying to set up LDAP authentication (I'm using samba4 AD). > > My docker run command is pasted in below (sanitised); this works fine > with the guacadmin user until I add the LDAP details, at which point > whenever I try to log in with an LDAP user, I get the following in the > guacamole logs (as viewed with '# docker logs -f gc-guacamole'): > 3:06:51.671 [http-nio-8080-exec-3] ERROR > o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP > server: Error while query user DNs. > 23:06:51.672 [http-nio-8080-exec-3] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > [192.168.5.10] for user "testuser" failed. > > I checked the LDAP bind details using ldapsearch; these worked fine. I > then tried wireshark to capture the LDAP traffic to check what was > actually being queried. Details of how I captured the traffic are > below, in case this helps others in a similar situation, but I can > confirm that guacamole asks for: > baseObject: dc=mydomain,dc=org > scope: wholeSubtree (2) > Filter: (&(objectClass=*)(sAMAccountName=testuser)) > > and the LDAP server responds with: > objectName: CN=testuser,OU=Users,OU=myou,DC=mydomain,DC=org > attributes: 34 items > [...] > > So, I'm not too sure why guacamole is reporting 'Error while query user DNs'. > > I've had a look through the code at > https://github.com/apache/incubator-guacamole-client/blob/master/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java > and I can't see what might be wrong. As far as I can tell, guacamole > is asking for a user DN and one is being returned - so I'm not sure > where the error is. Perhaps I've missed out some other LDAP setting? > > Can anyone point me in the right direction of what I could check next? > This is my first time setting this up, so unfortunately I don't have a > "known good" configuration yet :( > > Once this is working, I'll see if I can figure out a way to specify > more than one LDAP server (I have multiple DCs), use groups, etc. etc.. - but > first steps first :) > > Thanks, > > Jonathan > > -- > "If we knew what it was we were doing, it would not be called > research, would it?" > - Albert Einstein > > > > My docker command (Copied and pasted, but sanitised): > # docker run --restart=always \ > --name gc-guacamole --link gc-guacd:guacd \ > -e MYSQL_HOSTNAME=192.168.2.3 \ > -e MYSQL_DATABASE=guacamole_db \ > -e MYSQL_USER=guacamole_user \ > -e MYSQL_PASSWORD=thedatabasepassword \ > -e LDAP_HOSTNAME=dc1.mydomain.org \ > -e LDAP_USER_BASE_DN=dc=mydomain,dc=org \ > -e LDAP_SEARCH_BIND_DN=cn=guacamole,cn=Users,dc=mydomain,dc=org \ > -e LDAP_SEARCH_BIND_PASSWORD=thecorrectpassword \ > -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \ > -e LDAP_ENCRYPTION_METHOD=ssl \ > -d -p 80:8080 glyptodon/guacamole > docker exec -i gc-guacamole /bin/bash -c 'cat > /tmp/myca.crt' < > /var/www/html/myca/mycaca.crt > docker exec -i gc-guacamole keytool -importcert -file /tmp/mycaca.crt > -noprompt -keystore /etc/ssl/certs/java/cacerts -storepass changeit > > > > My method of capturing SSL LDAP traffic from samba4 was roughly as follows: > > In the guacamole docker container, set up jSSLKeyLog, otherwise we are > defeated by Perfect Forward Secrecy (samba4 now insists on strong SSL > by default, post Badlock patches) > [root@server ~]# docker exec -it gc-guacamole bash > apt-get install vim > wget > "https://downloads.sourceforge.net/project/jsslkeylog/jsslkeylog-1.1/jSSLKeyLog-1.1.zip?r=http%3A%2F%2Fjsslkeylog.sourceforge.net%2F&ts=1491004374&use_mirror=netcologne"; > unzip jSSLKeyLog-1.1.zip* > vi /usr/local/tomcat/bin/catalina.sh > Add: > > CATALINA_OPTS="-javaagent:/usr/local/tomcat/jSSLKeyLog.jar=/tmp/jsslkeylog.txt" > > Then restart the docker container, and > [root@server ~]# docker exec -it gc-guacamole 'tail -F /tmp/jsslkeylog.txt' > [ copy and paste the resultant output and save it to the laptop used > for wireshark ] > > On the DC: > user@dc1:~ $ sudo scp /usr/local/samba/private/tls/key.pem > wiresharklaptop:tmp/ > user@dc1:~ $ sudo tcpdump -n host 192.168.2.4 and port 636 -s16384 > -wguacamole.cap > [ capture relevant traffic ] > user@dc1:~ $ scp guacamole.cap wiresharklaptop:tmp/ -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
