LDAP Authentication not working

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP Authentication not working

sougatasen
Hi, I setup guacamole with basic authentication and got it working. However, when I configured LDAP, I am not able to get the authentication to work. Here is my guacamole.properties setting: guacd-hostname: localhost guacd-port: 4822 mysql-hostname: xxxxx.mysql.xxxx.azure.com mysql-port: 3306 mysql-database: guacamole_db mysql-username: gsbadmin@xxxxxxxx mysql-password: xxxxxxx ldap-hostname: xxxxxxxx ldap-port: 389 ldap-user-base-dn: CN=Users,DC=gsbldap,DC=local ldap-search-bind-dn: CN=guacadmin,CN=Users,DC=gsbldap,DC=local ldap-search-bind-password: xxxxxxxx ldap-username-attribute: sAMAccountName ldap-follow-referrals:false In AD, I created an administrative user called guacadmin under User and created another another user called guacuser. I am able to connect to the AD(LDAP Server) via ldp.exe and browse to the user from my machine. When I try to login with either guacadmin or guacuser I get the following error page : ERROR An error has occurred and this action cannot be completed. If the problem persists, please notify your system administrator or check your system logs. I checked the tomcat logs and this is what I get : 20:19:26.055 [http-nio-8080-exec-7] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.css" 20:19:26.083 [http-nio-8080-exec-9] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.js" 20:19:26.341 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 208.89.185.65 failed. 20:19:26.422 [http-nio-8080-exec-3] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/translations/en.json" 20:19:31.435 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Checking for expired sessions... 20:19:31.436 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Session check completed in 1 ms. 20:19:36.559 [http-nio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties. 20:19:36.561 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 208.89.185.65 for user "guacuser" failed. I followed the following tutorial to configure ldap : https://guacamole.apache.org/doc/gug/ldap-auth.html As part of the configuration for LDAP this is what I have done: 1. Placed the guacamole-auth-ldap-1.1.0.jar file in the GUACAMOLE_HOME/extensions folder 2. Updated the properties file as mentioned above 3. Created Users in AD 4. Restarted Tomcat The actual reason for the failure is not evident from the logs. Can you provide some guidance on how to troubleshoot this better please ?

Sent from the Apache Guacamole - General/User Mailing List mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication not working

vnick
Yikes - this message did not format very well in the Nabble -> Mailing List translation, but I'll try to parse through it and give some suggestions...

On Mon, Jun 22, 2020 at 4:26 PM sougatasen <[hidden email]> wrote:
Hi, I setup guacamole with basic authentication and got it working. However, when I configured LDAP, I am not able to get the authentication to work. Here is my guacamole.properties setting: guacd-hostname: localhost guacd-port: 4822 mysql-hostname: xxxxx.mysql.xxxx.azure.com mysql-port: 3306 mysql-database: guacamole_db mysql-username: gsbadmin@xxxxxxxx mysql-password: xxxxxxx ldap-hostname: xxxxxxxx ldap-port: 389 ldap-user-base-dn: CN=Users,DC=gsbldap,DC=local ldap-search-bind-dn: CN=guacadmin,CN=Users,DC=gsbldap,DC=local ldap-search-bind-password: xxxxxxxx ldap-username-attribute: sAMAccountName ldap-follow-referrals:false

This looks pretty similar to the configuration that I use with AD, so I'm guessing everything is okay, here, but hard to say for sure.  Based on the fact that you're using Azure MySQL, I'm guessing you're also using Azure AD - I have no direct experience with that, as my AD environment is on-premise, so I don't know if that could impact things.  My only suspicion as this point is around SSL connectivity to AD - maybe it's trying to start up TLS and failing certificate verification?
 
In AD, I created an administrative user called guacadmin under User and created another another user called guacuser. I am able to connect to the AD(LDAP Server) via ldp.exe and browse to the user from my machine. When I try to login with either guacadmin or guacuser I get the following error page : ERROR An error has occurred and this action cannot be completed. If the problem persists, please notify your system administrator or check your system logs. I checked the tomcat logs and this is what I get : 20:19:26.055 [http-nio-8080-exec-7] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.css" 20:19:26.083 [http-nio-8080-exec-9] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/app.js" 20:19:26.341 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from 208.89.185.65 failed. 20:19:26.422 [http-nio-8080-exec-3] DEBUG o.a.g.resource.ResourceServlet - Resource not modified: "/translations/en.json" 20:19:31.435 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Checking for expired sessions... 20:19:31.436 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap - Session check completed in 1 ms. 20:19:36.559 [http-nio-8080-exec-4] WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.properties. 20:19:36.561 [http-nio-8080-exec-4] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 208.89.185.65 for user "guacuser" failed. I followed the following tutorial to configure ldap : https://guacamole.apache.org/doc/gug/ldap-auth.html As part of the configuration for LDAP this is what I have done: 1. Placed the guacamole-auth-ldap-1.1.0.jar file in the GUACAMOLE_HOME/extensions folder 2. Updated the properties file as mentioned above 3. Created Users in AD 4. Restarted Tomcat The actual reason for the failure is not evident from the logs. Can you provide some guidance on how to troubleshoot this better please ?

You might want to put your Guacamole Client logging into debug mode and see if that gives you any additional insight.  It will give you a *TON* of output - the Apache Directory API is very verbose when you get to the DEBUG level, so you'll have to parse through a ton of output to get the relevant messages - and, once you get them, you'll want to set logging back to normal levels.


-Nick
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Authentication not working

sougatasen
This post was updated on .
Thanks for the reply. I am using Windows AD not Azure AD and also I tried
with MySQL on Ubuntu. The MySQL authentication works well, but the LDAP
Authentication still gives me the same error:

WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider
has encountered an internal error which will halt the authentication
process. If this is unexpected or you are the developer of this
authentication provider, you may wish to enable debug-level logging. If this
is expected and you wish to ignore such failures in the future, please set
"skip-if-unavailable: ldap" within your guacamole.properties.

I have configured the logs to be at the debug level, but could not find anything
helpful either for catalina.out or syslog



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/