>Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon Moen". >Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Steve Smith".
Are these users able to login successfully? Do they appear in the user list when logged in to the admin console? Double check that the ldap-user-base-dn is at the root of the AD structure and the ldap-search-bind-dn user is correctly qualified. As Mike said, try fully qualifying the base-dn attribute and post results. It may be that the ldap-auth module is querying your AD and returning incomplete information do this not being fully qualified. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net On Fri, Dec 1, 2017 at 1:37 PM, <harry.dev...@faa.gov> wrote: > OK I was able to get it to log in. Here’s what I changed in my > guacamole.properties to make it work: > > ldap-search-bind-dn:cn=”Directory Manager” > > ldap-user-base-dn:cn=users,cn=accounts,dc=example,dc=com > > > > So the user logs in fine, but in /var/log/messages, I get the following > errors that I’m not sure are relevant or not: > > Dec 1 13:34:34 access server: 13:34:34.157 [http-bio-8080-exec-6] INFO > o.a.g.r.auth.AuthenticationService - User "harry.devine" successfully > authenticated from 172.31.26.216. > > Dec 1 13:34:35 access server: 13:34:35.644 [http-bio-8080-exec-6] WARN > o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: "Jon > Moen". > > Dec 1 13:34:36 access server: 13:34:36.122 [http-bio-8080-exec-6] WARN > o.a.g.auth.ldap.user.UserService - Possibly ambiguous user account: > "Steve Smith". > > Dec 1 13:34:36 access server: 13:34:36.146 [http-bio-8080-exec-6] WARN > o.a.g.auth.ldap.user.UserService - Could not query list of all users for > attribute "cn": Error while querying users. > > > > VERY close now! Thoughts? > > Harry > > > > *From:* Erik Berndt [mailto:erikber...@superiorpaving.net] > *Sent:* Friday, December 01, 2017 12:19 PM > *To:* user@guacamole.apache.org > *Subject:* Re: Configuring LDAP > > > > I don't know if you paraphrased the config file, but I noticed the > ldap-search-bind-dn common name doesn't have the space escaped. I wonder if > guacd is treating the ldap-search-bind-dn cn as two separate entries, hence > the "Multiple DNs possible" error? > > > > I'm not sure if it's required or not, but I fully qualified each LDAP > parameter i.e. ldap-search-bind-dn: CN="Directory > Manager",OU=foo,DC=faa,DC=gov" and it's working successfully for us. The > search-bind-dn user should be part of the base-dn in case it isn't already. > > > > The relevant LDAP attributes from our working configuration are below. > > > > ldap-hostname: dc.local > ldap-port: 389 > ldap-user-base-dn: OU="Superior Paving Employees",DC=superiorpaving,DC=net > ldap-search-bind-dn: CN=guacamole,OU="Information > Technology",OU=Office,OU="Superior Paving Employees",DC=superiorpaving, > DC=net > ldap-search-bind-password: XXXXX > > > > > Erik Berndt / Systems Administrator > 5551 Wellington Rd, Gainesville, VA 20155 > <https://maps.google.com/?q=5551+Wellington+Rd,+Gainesville,+VA+20155+%0D+703&entry=gmail&source=g> > 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) > http://www.superiorpaving.net > > Need to open an IT support ticket? > http://FixIT.superiorpaving.net/portal or fi...@superiorpaving.net > > > > On Fri, Dec 1, 2017 at 11:11 AM, <harry.dev...@faa.gov> wrote: > > Just wondering if anyone has any ideas on how the LDAP is configured > below? This still isn’t working for me and I’d like to know why. > > > > Thanks, > > Harry > > > > *From:* Devine, Harry (FAA) > *Sent:* Monday, November 27, 2017 1:49 PM > *To:* user@guacamole.apache.org > *Subject:* RE: Configuring LDAP > > > > Here’s my current /etc/guacamole/guacamole.properties file: > > > > #MySQL properties > > mysql-hostname: localhost > > mysql-port:3306 > > mysql-database: guacdb > > mysql-username: guacuser > > mysql-password: guacadmin > > mysql-default-max-connections-per-user: 0 > > mysql-default-max-group-connections-per-user:0 > > > > #LDAP properties > > ldap-hostname:my.hostname > > ldap-port:389 > > ldap-encryption-method:none > > ldap-dereference-aliases:never > > ldap-search-bind-dn:cn=Directory Manager > > ldap-search-bind-password:pass123 > > ldap-user-base-dn:dc=example,dc=com > > #ldap-username-attribute=cn=users,cn=accounts,dc=example,dc=com > > ldap-username-attribute:cn > > ldap-group-base-dn:cn=groups,cn=accounts,dc=example,dc=com > > > > > > When I use the ldap-username-attribute:cn setting, I get the error where > the Multiple DNs are what’s being complained about. If I use the other one > (the commented out one above), I simply get “Authentication attempted …… > failed”. We use the “cn=users,cn=accounts” string in other projects where > we communicate with our LDAP server, so I’m pretty sure that’s correct. > > > > Thanks, > > Harry > > > > *From:* Jonathan Hankins [mailto:jhank...@homewood.k12.al.us > <jhank...@homewood.k12.al.us>] > *Sent:* Monday, November 27, 2017 12:38 PM > *To:* user@guacamole.apache.org > *Subject:* Re: Configuring LDAP > > > > Harry, you said you tried "modifying ldap-username-attribute to be > cn=users,cn=accounts,dc=example,dc=com" - just wanted to confirm. > Ldap-username-attribute should be an LDAP attribute name like cn. Could you > post your complete (redacted) guacamole.properties as you have it currently? > > > > Also, I saw that on a previous attempt today you got the log message: > > > > Nov 27 09:42:01 access server: 09:42:01.909 [http-bio-8080-exec-6] WARN > o.a.g.a.l.AuthenticationProviderService - Multiple DNs possible for user > "harry.devine": [uid=harry.devine,cn=users,cn=compat,dc=example,dc=com, > uid=harry.devine,cn=users,cn=accounts,dc=example,dc=com] > > > > If you have two users under your search base with uid (or cn, or whatever > you are using for ldap-username-attribute) "harry.devine" you are going to > have to use a more specific search base or a more unique > ldap-username-attribute or a more restrictive search filter so that you > don't get multiple matches for the username you are typing into the > username field on the login page. > > > > I.e., the attribute you match against has to uniquely identify the user > beneath your search base for your query. > > > > -Jonathan Hankins > > > > On Mon, Nov 27, 2017, 10:10 AM Nick Couchman <vn...@apache.org> wrote: > > On Mon, Nov 27, 2017 at 10:02 AM, <harry.dev...@faa.gov> wrote: > > OK, so I tried that, including modifying ldap-username-attribute to be > cn=users,cn=accounts,dc=example,dc=com, and now I get a 403 error in the > Developer Tools, and the following error in /var/log/messages: > > > > Nov 27 10:00:34 access server: 10:00:34.766 [http-bio-8080-exec-8] WARN > o.a.g.r.auth.AuthenticationService - Authentication attempt from > xxx.xxx.xxx.xxx for user "harry.devine" failed. > > > > However, I know that the password is 100% correct. Where to look now? I > feel we’re getting very close. > > > > > > What LDAP server are you running? You probably mentioned it already > somewhere in this thread, and I'm going to guess Active Directory, but just > want to make sure? If it's OpenLDAP then it is quite possible it is > configured to disallow logins without some form of encryption (although I > wouldn't expect the search bind to work in this case, but who knows). AD > doesn't usually have those restrictions, but depending on the environment, > it actually might require encryption, as well. Other than that, it would > be useful to get a log from the LDAP server that indicates why it is > failing authentication - if it believes the password is wrong, or if it is > throwing some other sort of error. I realize that you might be in an > organization where you don't have access to that server or those logs, but, > if you do, that would be helpful. > > > > -Nick > > > This e-mail is intended only for the recipient and may contain > confidential or proprietary information. If you are not the intended > recipient, the review, distribution, duplication or retention of this > message and its attachments is prohibited. Please notify the sender of this > error immediately by reply e-mail, and permanently delete this message and > its attachments in any form in which they may have been preserved. > > >
