Krzysztof The fundamental error you seem to have is "PROTOCOL_ERROR" which is not very helpful!
I note that your ldapsearch command includes the CA certificate at the end instead of relying on the system trust store. ldapsearch and Java use separate trust stores but I think that Ubuntu sorts that out for you if you do the following: * Copy the CA .crt (Base64 format, so it will have the line ----- BEGIN CERTIFICATE ---- at the start) to /usr/share/local/ca-certificates/ * Run update-ca-certificates Double check your /etc/ldap/ldap.conf and ensure it has: TLS_CACERT /etc/ssl/certs/ca-certificates.crt Now run your ldapsearch but do not specify -o tls_cacert. It should work - if it doesn't then that needs fixing. I'm fairly sure that Ubuntu also sorts out the Java trust store as well when you run update-ca-certificates so you may be golden at this point. If not then you have proven your LDAP settings are correct. So, just to recap: get ldapsearch working first over TLS without having to specify any certificates and then move on to Guacamole. Bear in mind that Guacamole uses a Java trust store and not the OpenSSL or GNUTLS ones but as I have stated, I *think* that Ubuntu sorts them all out. Also, LDAP with STARTTLS instead of LDAPS is preferred by everyone who seems to know what they are doing. That is LDAP on port 389 with STARTTLS . Here's an example from a live system - I have only obfuscated the password for the bind DN user: ldap-hostname: dc2.blueloop.net ldap-encryption-method: starttls ldap-search-bind-dn: CN=SA LDAPuser,OU=SA,OU=Blueloop,DC=blueloop,DC=net ldap-search-bind-password: ............. LONG .............. PASSWORD .............................. ldap-user-base-dn: DC=blueloop,DC=net ldap-username-attribute: sAMAccountName ldap-user-search-filter: (&(objectClass=user)(!(objectClass=computer))) ldap-group-base-dn: OU=Groups,OU=Blueloop,DC=blueloop,DC=net ldap-member-attribute: memberOf ldap-group-search-filter: (objectClass=group) Cheers Jon On Tue, 2025-02-18 at 07:50 +0000, Krzysztof Gorny (Fujitsu) wrote: I would like to ask you for help. In our environment We are installing fresh Guacamole Server in version 1.5.5 on latest Ubuntu server 24.04. We are configuring Guacamole to use Posgresql database so we are installing also Posgresql in ver 42.7.5. During configuration we are installing also Java in below version: openjdk version "21.0.5" 2024-10-15 OpenJDK Runtime Environment (build 21.0.5+11-Ubuntu-1ubuntu124.04) OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu124.04, mixed mode, sharing) Also We need authentication with our Active Directory. We performed installation of Tomcat9 and also Guacamole-auth-ldap-1.5.5. After that we added our CA Certificate to Java Trust store: /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert.pem and Ubuntu CA cp RootCAcert.crt /usr/local/share/ca-certificates update-ca-certificates We confirmed that certificate and port is working as we performed below query and connection was successful: ldapsearch -xLLLH ldaps://FQDNofLDAP:636 -D "cn=AccountFromGuacamole.Properties" -w "CorrectPassword" -b "ldap-user-base-dnEntry" -s sub "(sAMAccountName=UserFromAD)" sAMAccountName -o tls_cacert=/etc/ssl/certs/RootCAcert.pem After that we configured guacamole.properties with correct values as follows: ldap-hostname: FQDNofLDAP ldap-port: 636 ldap-encryption-metod: ssl ldap-user-base-dn: CorrectlyFulfilled ldap-username-attribute: sAMAccountName ldap-search-bind-dn: CorrectlyFulfilled ldap-search-bind-password: CorrectPassword We perform restart of tomcat9 and restart of guacd. Unfortunately after above actions we have problem. When we try to log in to Guacamole using our AD credentials we receive error "Invalid Login" on website. In catalina.out log we see errors: [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "FQDNofLDAP" as user "cn=AccountFromGuacamole.Properties" failed: PROTOCOL_ERROR: The server will disconnect! [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=AccountFromGuacamole.Properties" [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user "UserFromAD" using LDAP server "FQDNofLDAP". Proceeding with next server... [2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO o.a.g.a.l.AuthenticationProviderService - User "testuser" did not successfully authenticate against any LDAP server. [2025-01-30 08:55:15] [info] 08:55:15.644 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.18.8.7 for user "UserFromAD" failed. When we configured logback.xml to show Debug events we see also below errors: [2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED () [2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED () [2025-01-30 13:22:23] [info] 13:22:23.288 [http-nio-8080-exec-9] DEBUG o.a.d.l.c.api.LdapNetworkConnection - MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE [2025-01-30 13:22:23] [info] Message ID : -1 [2025-01-30 13:22:23] [info] BindResponse [2025-01-30 13:22:23] [info] Ldap Result [2025-01-30 13:22:23] [info] Result code : (PROTOCOL_ERROR) protocolError [2025-01-30 13:22:23] [info] Matched Dn : 'null' [2025-01-30 13:22:23] [info] Diagnostic message : 'PROTOCOL_ERROR: The server will disconnect!' [2025-01-30 13:22:23] [info] ) [2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] ERROR o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at "FQDNofLDAP" as user "CorrectlyFulfilledDN" failed: PROTOCOL_ERROR: The server will disconnect! [2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] DEBUG o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server. [2025-01-30 13:22:23] [info] org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: PROTOCOL_ERROR: The server will disconnect! Problem is not occurring when we change in guacamole.properties below two values: ldap-port: 389 ldap-encryption-metod: none Additionally in separate test we have tried use: openssl s_client -connect FQDNofLDAP:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > RootCAcert2.pem cp RootCAcert2.pem /etc/ssl/certs/ RootCAcert2.pem /usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert2.pem but the certificate did not work too. Unfortunately we would like to use LDAPS not only LDAP. In other programs connection is working without problems. Could you be so kind and help identify a problem and find solution for this? Kind regards, Krzysztof Górny
