From: "Maik Heinelt" <[email protected]> To: [email protected] Sent: Monday, October 18, 2021 9:01:17 AM Subject: Re: Difficulty to get LDAP working with Guacamole
On Sun, Oct 17, 2021 at 7:45 PM Maik Heinelt <[email protected]> wrote: I am trying to get the LDAP extension to work with our Guacamole 1.3 installation. MySQL authentication is working just fine, but LDAP doesn't show up. I did install our Windows AD server with the LDAP addon, installed the v1.3 LDAP .jar extension and also added the configuration at guacamole.properties as explained at this [ https://guacamole.apache.org/doc/gug/ldap-auth.html | manual. ] But when I login as user guacadmin and check the user, there is no LDAP tab and also no LDAP user. This is expected - unless you sign in with an LDAP users, you will not see the LDAP tab, any LDAP groups, or LDAP users. This is because the LDAP extension uses the LDAP username and password to do any/all LDAP searches (with the exception of the initial search), so a database user will not have access. There are two ways around this: * Manually create a matching user in the database for one of the LDAP users and assign it administrative privileges. * Enable automatic JDBC account creation and then assign the auto-created user account(s) whatever privileges required. -Nick Hi Nick, thank you for the quick reply. I tried to login with several AD users, but login fails. For testing, I have allowed the users OU to be able to login at Guacamole, but since I don't know any log where I can actually see if the LDAP search actually works, it is difficult for me to debug if the issue is in Guacamole or maybe at the communication with the AD. Maik I am still not getting LDAP authentication working. My guacamole.properties looks as following: # LDAP properties ldap-hostname: MyWin2019Server ldap-port: 389 ldap-encryption-method: none ldap-username-attribute: sAMAccountName ldap-user-base-dn: OU=Users,DC=mydomain,DC=local ldap-search-bind-dn: CN=Administrator,CN=Users,DC=mydomain,DC=local ldap-search-bind-password: GoodPassword I got the ldap-search-bind-dn from the server LDAP admin properties >> Attribute Editor >> distinguishedName , so I am pretty sure this should be correct. I am able to reach the LDAP without errors with using SSL or also no encryption via Guacamole server command line using ldapsearch. When looking at the catalina.out log file, there is no error or warning shown when I try to authenticate via LDAP. Just a "WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 153.156.182.53 for user "MyUser" failed." Please correct me if I am wrong, but my understanding is, I should be able to authenticate with every user with its account name who is at the Users OU. Maik
