[
https://issues.apache.org/jira/browse/GUACAMOLE-2051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17949024#comment-17949024
]
sbcbus edited comment on GUACAMOLE-2051 at 5/2/25 9:04 PM:
-----------------------------------------------------------
{noformat}
# networks
# create a network 'guacnetwork_compose' in mode 'bridged'
networks:
guacnetwork_compose: # services
services:
# guacd
guacd:
container_name: guacd
user: 989:985
image: ${GUACD_VERSION:-latest}
dns_opt:
- ndots:1
#image: -1.4.0
networks:
guacnetwork_compose:
restart: always
volumes:
- ${GUAC_DRIVE_PATH:-./drive}:/drive:rw
- ${GUAC_RECORD_PATH:-./record}:/record:rw
mariadb:
image: mariadb:10.3.36
restart: always
container_name: mariadb
environment:
MARIADB_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MARIADB_DATABASE: ${MYSQL_DATABASE}
MARIADB_USER: ${MYSQL_USER}
MARIADB_PASSWORD: ${MYSQL_PASSWORD}
ports:
- 3306:3306
volumes:
- /app/mariadb:/var/lib/mysql
- /app/guacamole-docker/maria-conf.d:/etc/mysql/conf.d
- /app/guacamole-docker/certs:/certs
networks:
guacnetwork_compose:
# guacamole
guacamole:
container_name: guacamole
depends_on:
- guacd
- mariadb
volumes:
- ${GUAC_HOME_DIR:-./guac_home/guacamole}:/guac-home
#- /app/guacamole-docker/mysql:/opt/guacamole/mysql/
environment:
GUACAMOLE_HOME: /guac-home
GUACD_HOSTNAME: guacd
MYSQL_HOSTNAME: ${MYSQL_HOSTNAME}
MYSQL_DATABASE: ${MYSQL_DATABASE}
MYSQL_USERNAME: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
MYSQL_SSL_MODE: required
MYSQL_USER: ${MYSQL_USER}
LDAP_HOSTNAME: ${LDAP_HOSTNAME}
LDAP_PORT: ${LDAP_PORT}
LDAP_ENCRYPTION_METHOD: ${LDAP_ENCRYPTION_METHOD}
LDAP_USER_BASE_DN: ${LDAP_USER_BASE_DN}
REMOTE_IP_VALVE_ENABLED: true
RESTRICT_ENABLED: ${RESTRICT_ENABLED:-true}
DUO_CLIENT_ID: ${DUO_CLIENT_ID}
DUO_CLIENT_SECRET: ${DUO_CLIENT_SECRET}
#DUO_APPLICATION_KEY: ${DUO_CLIENT_SECRET}
#DUO_INTEGRATION_KEY: ${DUO_CLIENT_ID}
#DUO_SECRET_KEY: ${DUO_CLIENT_SECRET}
DUO_API_HOSTNAME: ${DUO_API_HOSTNAME}
DUO_REDIRECT_URL: ${DUO_REDIRECT_URI}
DUO_REDIRECT_URI: ${DUO_REDIRECT_URI}
DUO_BYPASS_HOSTS: ${DUO_BYPASS_HOSTS}
# LOGBACK_LEVEL: debug
image: ${GUAC_VERSION:-latest}
# image: guacamole/guacamole:1.5.5
# image: otdi/guacamole:1.4.0-ldap
links:
- guacd:guacd
- mariadb:mariadb
ports:
## enable next line if not using nginx
- 80:8080/tcp # Guacamole is on :8080/guacamole, not /.
networks:
guacnetwork_compose:
restart: always
nginx:
container_name: nginx
restart: always
image: nginx
volumes:
- ./nginx/templates:/etc/nginx/templates:ro
- ./nginx/ssl/self.cert:/etc/nginx/ssl/self.cert:ro
- ./nginx/ssl/self-ssl.key:/etc/nginx/ssl/self-ssl.key:ro
ports:
- 443:8443
links:
- guacamole
networks:
guacnetwork_compose:
{noformat}
ldap-servers.yml (sanitized)
{noformat}
- hostname: ldaps.domain2.corp.edu
port: 636
encryption-method: ssl
search-bind-dn: CN=svcldap,OU=_Service Accounts,DC=domain2,DC=corp,DC=edu
search-bind-password: ***
user-search-filter: (&(objectCategory=person)(objectClass=user))
group-search-filter: (&(objectClass=group)(!(cn=*Infra *))(|(cn=*RA
*)(cn=*-app-guac*)))
user-base-dn: DC=domain2,DC=corp,DC=edu
group-base-dn: DC=domain2,DC=corp,DC=edu
username-attribute: cn
user-attributes: OSUrdpWS01, OSUrdpWS02, OSUrdpWS03, cn
max-search-results: 0
- hostname: ldaps.domain.corp.edu
port: 636
encryption-method: ssl
search-bind-dn: CN=svcldap,OU=_Service Accounts,DC=domain,DC=corp,DC=edu
search-bind-password: ***
user-search-filter: (&(objectCategory=person)(objectClass=user))
group-search-filter: (&(objectClass=group)(!(cn=*Infra *))(!(cn=_*))(|(cn=*
RA *)(cn=RA *)(cn=*-app-guac*)))
user-base-dn: DC=domain,DC=corp,DC=edu
group-base-dn: DC=domain,DC=corp,DC=edu
username-attribute: cn
user-attributes: OSUrdpWS01, OSUrdpWS02, OSUrdpWS03, cn
max-search-results: 0
match-usernames:
- (.*)@domain2\.edu
- (.*)@domain\.edu{noformat}
For the 1.6 staging image above, guacamole.properties has all LDAP settings
commended out. I
n our production 1.5.5 for it to work for us with multiple LDAP servers, we
have the user-attributes in ldap-servers.yml commended out (otherwise same
scenario) , but then in guacamole.properties for LDAP {*}only{*}:
user-attributes: OSUrdpWS01, OSUrdpWS02, OSUrdpWS03, cn
(this workaround doesn't seem to work for 1.6)
Are you testing with an ldap-servers.yml?
was (Author: JIRAUSER299297):
{noformat}
# networks
# create a network 'guacnetwork_compose' in mode 'bridged'
networks:
guacnetwork_compose: # services
services:
# guacd
guacd:
container_name: guacd
user: 989:985
image: ${GUACD_VERSION:-latest}
dns_opt:
- ndots:1
#image: -1.4.0
networks:
guacnetwork_compose:
restart: always
volumes:
- ${GUAC_DRIVE_PATH:-./drive}:/drive:rw
- ${GUAC_RECORD_PATH:-./record}:/record:rw
mariadb:
image: mariadb:10.3.36
restart: always
container_name: mariadb
environment:
MARIADB_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MARIADB_DATABASE: ${MYSQL_DATABASE}
MARIADB_USER: ${MYSQL_USER}
MARIADB_PASSWORD: ${MYSQL_PASSWORD}
ports:
- 3306:3306
volumes:
- /app/mariadb:/var/lib/mysql
- /app/guacamole-docker/maria-conf.d:/etc/mysql/conf.d
- /app/guacamole-docker/certs:/certs
networks:
guacnetwork_compose:
# guacamole
guacamole:
container_name: guacamole
depends_on:
- guacd
- mariadb
volumes:
- ${GUAC_HOME_DIR:-./guac_home/guacamole}:/guac-home
#- /app/guacamole-docker/mysql:/opt/guacamole/mysql/
environment:
GUACAMOLE_HOME: /guac-home
GUACD_HOSTNAME: guacd
MYSQL_HOSTNAME: ${MYSQL_HOSTNAME}
MYSQL_DATABASE: ${MYSQL_DATABASE}
MYSQL_USERNAME: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
MYSQL_SSL_MODE: required
MYSQL_USER: ${MYSQL_USER}
LDAP_HOSTNAME: ${LDAP_HOSTNAME}
LDAP_PORT: ${LDAP_PORT}
LDAP_ENCRYPTION_METHOD: ${LDAP_ENCRYPTION_METHOD}
LDAP_USER_BASE_DN: ${LDAP_USER_BASE_DN}
REMOTE_IP_VALVE_ENABLED: true
RESTRICT_ENABLED: ${RESTRICT_ENABLED:-true}
DUO_CLIENT_ID: ${DUO_CLIENT_ID}
DUO_CLIENT_SECRET: ${DUO_CLIENT_SECRET}
#DUO_APPLICATION_KEY: ${DUO_CLIENT_SECRET}
#DUO_INTEGRATION_KEY: ${DUO_CLIENT_ID}
#DUO_SECRET_KEY: ${DUO_CLIENT_SECRET}
DUO_API_HOSTNAME: ${DUO_API_HOSTNAME}
DUO_REDIRECT_URL: ${DUO_REDIRECT_URI}
DUO_REDIRECT_URI: ${DUO_REDIRECT_URI}
DUO_BYPASS_HOSTS: ${DUO_BYPASS_HOSTS}
# LOGBACK_LEVEL: debug
image: ${GUAC_VERSION:-latest}
# image: guacamole/guacamole:1.5.5
# image: otdi/guacamole:1.4.0-ldap
links:
- guacd:guacd
- mariadb:mariadb
ports:
## enable next line if not using nginx
- 80:8080/tcp # Guacamole is on :8080/guacamole, not /.
networks:
guacnetwork_compose:
restart: always
nginx:
container_name: nginx
restart: always
image: nginx
volumes:
- ./nginx/templates:/etc/nginx/templates:ro
- ./nginx/ssl/self.cert:/etc/nginx/ssl/self.cert:ro
- ./nginx/ssl/self-ssl.key:/etc/nginx/ssl/self-ssl.key:ro
ports:
- 443:8443
links:
- guacamole
networks:
guacnetwork_compose:
{noformat}
ldap-servers.yml (sanitized)
{noformat}
- hostname: ldaps.domain2.corp.edu
port: 636
encryption-method: ssl
search-bind-dn: CN=svcldap,OU=_Service Accounts,DC=domain2,DC=corp,DC=edu
search-bind-password: ***
user-search-filter: (&(objectCategory=person)(objectClass=user))
group-search-filter: (&(objectClass=group)(!(cn=*Infra *))(|(cn=*RA
*)(cn=*-app-guac*)))
user-base-dn: DC=domain2,DC=corp,DC=edu
group-base-dn: DC=domain2,DC=corp,DC=edu
username-attribute: cn
user-attributes: OSUrdpWS01, OSUrdpWS02, OSUrdpWS03, cn
max-search-results: 0
- hostname: ldaps.domain.corp.edu
port: 636
encryption-method: ssl
search-bind-dn: CN=svcldap,OU=_Service Accounts,DC=domain,DC=corp,DC=edu
search-bind-password: ***
user-search-filter: (&(objectCategory=person)(objectClass=user))
group-search-filter: (&(objectClass=group)(!(cn=*Infra *))(!(cn=_*))(|(cn=*
RA *)(cn=RA *)(cn=*-app-guac*)))
user-base-dn: DC=domain,DC=corp,DC=edu
group-base-dn: DC=domain,DC=corp,DC=edu
username-attribute: cn
user-attributes: OSUrdpWS01, OSUrdpWS02, OSUrdpWS03, cn
max-search-results: 0
match-usernames:
- (.*)@domain2\.edu
- (.*)@domain\.edu{noformat}
guacamole.properties has all LDAP settings commended out except currently in
1.5.5 for it to work for us we have {*}only{*}:
user-attributes: OSUrdpWS01, OSUrdpWS02, OSUrdpWS03, cn
Are you testing with an ldap-servers.yml?
> LDAP user attributes do not work when specified in ldap-servers.yml, at all
> with 1.6.0+
> ---------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-2051
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2051
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 1.5.5
> Environment: Docker
> Reporter: sbcbus
> Priority: Major
>
> 2 issues, but both related in the end. It made it a bit difficult to
> troubleshoot due to the variance.
> +In 1.5.5:+
> It seems "user-attributes:" does not work when specified in ldap-servers.yml.
> We recently had a change where we added an additional LDAP source so moved
> the entire config to there. Our connections that rely on custom attributes
> for the connection host name stopped working. *Uncommenting
> ldap-user-attributes: ... in guacamole.properties is a workaround.*
>
> +1.6.0:+
> The attributes do not seem to work *at all* in latest staging/1.6.0 branch.
> ldap-user-attributes: customAttributeName nor specifying it in ldap-users.yml
> as user-attributes: customAttributeName. Guacd logs shows the error as
> incorrect host name/dns error seemingly confirming it not being read.
> Reverting docker back to 1.5.5 results in case above.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
