Hello, Please, look higher up in the logs, during the startup of Tomcat (or deployment of the guacamole WAR file) to make sure it's loading the expected extensions, and see if there are any other errors there. The error you are referring to may be related with mysql driver not getting loaded.
ср, 5 мар. 2025 г. в 21:12, Jason Bailey <jbai...@emerytelcom.com.invalid>: > Did you enable auto creation of accounts in the mysql plugin? Yes. > > Did you create guacadmin user in mysql? I ran the > 000-create-admin-user.sql script against the database and I can see the > records present when I view the appropriate database tables. > > Set extension priority? I have not done so thus far. It isn't being used > in my old server, which is what I used as a template for the new server. > That said, I'll add it. > > Checking in the logs.... I see no mention of LDAP, so it must not be > loading. > > Nick, you were right, the permissions on the /etc/guacamole/lib and > /etc/guacamole/extensions folders were wrong. I'm actually trying to build > SaltStack state / provisioning that sets Apache Guacamole up, and I had > copied and pasted the wrong block of YAML. Long story short, the folder was > 644 instead of 755. That has been fixed. > > Unfortunately, even with all these changes, it's still not working. I'm > now getting "DEBUG o.a.g.rest.RESTExceptionMapper - Client request > rejected: Permission Denied". I get that even when I bypass the reverse > proxy config and connect to tomcat directly with my browser. > > This is what I have in my guacamole.properties file: > > guacd-hostname: ::1 > guacd-port: 4822 > > mysql-hostname: 127.0.0.1 > mysql-database: guacamole > mysql-username: guacamole > mysql-password: LongGuacamolePassword > mysql-driver: mariadb > mysql-auto-create-accounts: true > mysql-server-timezone: America/Denver > > ldap-hostname: corp.myorganization.com > ldap-port: 389 > ldap-encryption-method: none > ldap-username-attribute: sAMAccountName > ldap-search-bind-dn: cn=OBS Manager > LDAP,OU=Services,DC=corp,DC=myorganization,DC=com > ldap-search-bind-password: MyReallyLongLdapPassword > ldap-user-base-dn: dc=corp,dc=myorganization,dc=com > ldap-user-search-filter: (memberOf=CN=OBS > Users,OU=Services,DC=corp,DC=myorganization,DC=com) > ldap-max-search-results: 400 > > auth-provider: > net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider > > Thanks > > > > On 3/5/25 4:41 AM, Anakien Skywalker wrote: > > Hello, > Just a few things to check: > 1. Did you enable auto creation accounts in mysql plugin? > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users > > >> mysql-auto-create-accounts: true > > 2. Did you create guacadmin user in mysql? You need to execute the > following schema migration 002-create-admin-user.sql in your db in order to > create admin user. Make sure all queries from migration are executed. > 3. Set extension priority. In your log, I don't see any evidence you use > ldap. But you could use ldap, mysql where mysql is fallback for guacadmin. > >> extension-priority: mysql, ldap > > I am not sure of the correct naming. Please, check it yourself in your > logs: > >> 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [postgresql] >> "PostgreSQL Authentication" >> (/etc/guacamole/extensions/guacamole-auth-jdbc-postgresql-1.5.5.jar) >> 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [ldap] "LDAP >> Authentication" (/etc/guacamole/extensions/guacamole-auth-ldap-1.5.5.jar) >> >> According to these logs, it would be: > >> >> extension-priority: postgresql, ldap > > > > ср, 5 мар. 2025 г. в 03:37, Nick Couchman <vn...@apache.org>: > >> On Tue, Mar 4, 2025 at 7:00 PM Jason Bailey >> <jbai...@emerytelcom.com.invalid> <jbai...@emerytelcom.com.invalid> >> wrote: >> >>> Replying to my own email here, but I did get debug logging working. I'm >>> seeing a few extra things now when I try to login: >>> >>> DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication >>> attempt from [10.0.0.86, 127.0.0.1] failed. >>> >>> DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: >>> Permission Denied. >>> >>> WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from >>> [10.0.0.86, 127.0.0.1] for user "guacadmin" failed >>> >>> DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file >>> "/etc/guacamole/user-mapping.xml" does not exist and will not be read >>> >>> I don't have a user-mapping.xml anymore -- not since going to LDAP/MSAD >>> authentication. >>> >> >> It does not appear to me that the LDAP authentication extension is >> loading at all. Are there other messages, prior to this, that indicate that >> it is loading successfully? >> >> The message about the user-mapping.xml file is relatively benign - it's >> just warning you that it isn't there. >> >> >>> >>> Is this an indication that the reverse proxy through Apache might be the >>> issue? >>> >> >> Nope, don't think this has anything to do with reverse proxy - I think >> your Guacamole install is not picking up the LDAP extension at all. Maybe >> check that permissions are correct on all of the files/folders, such that >> the user running Tomcat has access to /etc/guacamole and all of the files >> and folders under it? >> >> -Nick >> > *Confidentiality Notice* This email message may contain legally privileged > and/or confidential information. If you are not the intended recipient(s), > you are hereby notified that any dissemination, distribution or copying of > this email message is strictly prohibited. If you have received this email > in error, please immediately notify the sender and delete this email > message from your computer. >