Guac does not connect to LDAP to pull RDP conn details after SAML auth succeeds

Mon, 07 Feb 2022 10:17:59 -0800 

We have Guacamole configured to use SAML to initially authenticate users and 
subsequently use LDAP to look up the user and retrieve RDP connection 
properties.
When using this setup, user is successfully authenticated against SAML but Guac 
makes no attempt to connect to LDAP to look the user up.So using SAML auth, do 
connection details have to come from a DB alone? Is LDAP not supported? 

Our guacamole.properties looks so -================================
extension-priority: saml,*

saml-idp-metadata-url: <>
saml-entity-id: <>
saml-callback-url: <>
saml-debug: true

guacd-hostname: <>
guacd-port: 4822

ldap-hostname: <>
ldap-user-base-dn: <>
ldap-port: <>
ldap-search-bind-dn: <>
ldap-search-bind-password: <>
ldap-username-attribute: cn,userPrincipalName
ldap-config-base-dn: <>
ldap-group-base-dn: <> 
================================
Snippet from tomcat log showing successful SAML auth but subsequently no LDAP 
requests being made (both SAML and LDAP extensions do get loaded in that order, 
during startup) -
{"log":"17:35:44.920 [http-nio-8080-exec-6] DEBUG 
c.onelogin.saml2.authn.SamlResponse - SAMLResponse validated --\u003e 
\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003csaml2p:Response 
xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" 
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"; 
xmlns:enc=\"http://www.w3.org/2001/04/xmlenc#\"; 
xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" 
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"; 
Destination=\"https://<guac-fqdn>/guacamole/api/ext/saml/callback\" 
ID=\"_1b1b7627-5cf3-41da-a8d4-07d7b40ef1b6\" 
InResponseTo=\"ONELOGIN_f6802956-ff63-44da-9d84-0b839611aa40\" 
IssueInstant=\"2022-02-07T17:35:44.072Z\" 
Version=\"2.0\"\u003e\u003csaml2:Issuer 
Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"\u003e<>sso-url>/saml2:Issuer\u003e\u003cds:Signature\u003e\n","stream":"stdout","time":"2022-02-07T17:35:44.920437405Z"}

{"log":"17:35:44.929 [http-nio-8080-exec-6] INFO  
o.a.g.r.auth.AuthenticationService - User \”<ad-user>\” successfully 
authenticated from 
<ipaddr>.\n”,”stream":"stdout","time":"2022-02-07T17:35:44.929936313Z"}
{"log":"17:35:44.932 [http-nio-8080-exec-6] DEBUG 
o.a.g.a.f.FileAuthenticationProvider - User mapping file 
\"/home/guacamole/.guacamole/user-mapping.xml\" does not exist and will not be 
read.\n","stream":"stdout","time":"2022-02-07T17:35:44.932447772Z"}
{"log":"17:35:44.944 [http-nio-8080-exec-6] DEBUG 
o.a.g.r.auth.AuthenticationService - Login was successful for user 
\”<ad-user>\”.\n”,”stream":"stdout","time":"2022-02-07T17:35:44.944764676Z"}
{"log":"17:35:44.980 [http-nio-8080-exec-7] DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: Permission 
Denied.\n","stream":"stdout","time":"2022-02-07T17:35:44.982212881Z"}
{"log":"17:35:45.010 [http-nio-8080-exec-9] DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: Session not 
associated with authentication provider 
\"saml\".\n","stream":"stdout","time":"2022-02-07T17:35:45.01072652Z"}
==================================
To clarify that LDAP bind and search requests do work when not using SAML, 
here's what we see when SAML is not an extension priority.
{"log":"14:46:56.028 [http-nio-8080-exec-9] DEBUG 
o.a.d.l.c.api.LdapNetworkConnection - MSG_04104_SENDING_REQUEST (MessageType : 
BIND_REQUEST\n","stream":"stdout","time":"2022-02-07T14:46:56.028805885Z"}
{"log":"Message ID : 
1\n","stream":"stdout","time":"2022-02-07T14:46:56.028838115Z"}
{"log":"    
BindRequest\n","stream":"stdout","time":"2022-02-07T14:46:56.028843083Z"}
{"log":"        Version : 
'3'\n","stream":"stdout","time":"2022-02-07T14:46:56.028847115Z"}
{"log":"        Name : 
<ldap-search-bind-dn>\n”,”stream":"stdout","time":"2022-02-07T14:46:56.028853851Z"}
{"log":"        Simple authentication : 
'(omitted-for-safety)'\n","stream":"stdout","time":"2022-02-07T14:46:56.028857518Z"}
{"log":")\n","stream":"stdout","time":"2022-02-07T14:46:56.028861649Z"}
{"log":")\n","stream":"stdout","time":"2022-02-07T16:54:12.995143597Z"}
{"log":"16:54:13.008 [http-nio-8080-exec-2] DEBUG 
o.a.g.auth.ldap.ObjectQueryService - Searching \”<ad-base-dn>\” for objects 
matching 
\"(\u0026(objectClass=*)(|(cn=<ad-user>)(userPrincipalName=<ad-user>)))\”.\n”,”stream":"stdout","time":"2022-02-07T16:54:13.008351163Z"}
{"log":"16:54:13.011 [http-nio-8080-exec-2] DEBUG 
o.a.d.l.c.api.LdapNetworkConnection - MSG_04104_SENDING_REQUEST (MessageType : 
SEARCH_REQUEST\n","stream":"stdout","time":"2022-02-07T16:54:13.011651661Z"}

Reply via email to