I would like to ask you for help. In our environment We are installing fresh Guacamole Server in version 1.5.5 on latest Ubuntu server 24.04. We are configuring Guacamole to use Posgresql database so we are installing also Posgresql in ver 42.7.5. During configuration we are installing also Java in below version: openjdk version "21.0.5" 2024-10-15
OpenJDK Runtime Environment (build 21.0.5+11-Ubuntu-1ubuntu124.04) OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu124.04, mixed mode, sharing) Also We need authentication with our Active Directory. We performed installation of Tomcat9 and also Guacamole-auth-ldap-1.5.5. After that we added our CA Certificate to Java Trust store: /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert.pem and Ubuntu CA cp RootCAcert.crt /usr/local/share/ca-certificates update-ca-certificates We confirmed that certificate and port is working as we performed below query and connection was successful: ldapsearch -xLLLH ldaps://FQDNofLDAP:636 -D "cn=AccountFromGuacamole.Properties" -w "CorrectPassword" -b "ldap-user-base-dnEntry" -s sub "(sAMAccountName=UserFromAD)" sAMAccountName -o tls_cacert=/etc/ssl/certs/RootCAcert.pem After that we configured guacamole.properties with correct values as follows: ldap-hostname: FQDNofLDAP ldap-port: 636 ldap-encryption-metod: ssl ldap-user-base-dn: CorrectlyFulfilled ldap-username-attribute: sAMAccountName ldap-search-bind-dn: CorrectlyFulfilled ldap-search-bind-password: CorrectPassword We perform restart of tomcat9 and restart of guacd. Unfortunately after above actions we have problem. When we try to log in to Guacamole using our AD credentials we receive error "Invalid Login" on website. In catalina.out log we see errors: [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "FQDNofLDAP" as user "cn=AccountFromGuacamole.Properties" failed: PROTOCOL_ERROR: The server will disconnect! [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=AccountFromGuacamole.Properties" [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "UserFromAD" using LDAP server "FQDNofLDAP". Proceeding with next server... [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO o.a.g.a.l.AuthenticationProviderService - User "testuser" did not successfully authenticate against any LDAP server. [2025-01-30 08:55:15] [info] 08:55:15.644 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.18.8.7 for user "UserFromAD" failed. When we configured logback.xml to show Debug events we see also below errors: [2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED () [2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED () [2025-01-30 13:22:23] [info] 13:22:23.288 [http-nio-8080-exec-9] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE [2025-01-30 13:22:23] [info] Message ID : -1 [2025-01-30 13:22:23] [info] BindResponse [2025-01-30 13:22:23] [info] Ldap Result [2025-01-30 13:22:23] [info] Result code : (PROTOCOL_ERROR) protocolError [2025-01-30 13:22:23] [info] Matched Dn : 'null' [2025-01-30 13:22:23] [info] Diagnostic message : 'PROTOCOL_ERROR: The server will disconnect!' [2025-01-30 13:22:23] [info] ) [2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "FQDNofLDAP" as user "CorrectlyFulfilledDN" failed: PROTOCOL_ERROR: The server will disconnect! [2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] DEBUG o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server. [2025-01-30 13:22:23] [info] org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: PROTOCOL_ERROR: The server will disconnect! Problem is not occurring when we change in guacamole.properties below two values: ldap-port: 389 ldap-encryption-metod: none Additionally in separate test we have tried use: openssl s_client -connect FQDNofLDAP:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > RootCAcert2.pem cp RootCAcert2.pem /etc/ssl/certs/ RootCAcert2.pem /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert2.pem but the certificate did not work too. Unfortunately we would like to use LDAPS not only LDAP. In other programs connection is working without problems. Could you be so kind and help identify a problem and find solution for this? Kind regards, Krzysztof Górny
