auth-ldap 1.1.0/1.2.0 not bind

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

auth-ldap 1.1.0/1.2.0 not bind

Henri Alves de Godoy
Hello guys,

 I signed up on the list now and I'm going to ask for my first help from you.

I can only authenticate with LDAP using version 1.0.0.

I know that for version> 1.1.0 there was a change to api-ldap.

How to know or how to install api-ldap on the server?

I believe that I don't have the api-ldap configured, as I can't list the users when I enter the administration area.

In case I have to go back to version 1.0.0 in order to use it.

Can you help me ?

Thanks

--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

vnick
On Tue, Jun 30, 2020 at 17:15 Henri Alves de Godoy <[hidden email]> wrote:
Hello guys,

 I signed up on the list now and I'm going to ask for my first help from you.

I can only authenticate with LDAP using version 1.0.0.

You’ll need to explain what issues you’re seeing with the 1.1.0 and 1.2.0 versions of the LDAP extension.  Please post log messages and errors you’re receiving.


I know that for version> 1.1.0 there was a change to api-ldap.

How to know or how to install api-ldap on the server?

Yes, the 1.1.0 and later versions use the Apache library instead of the old Novell library.  However, everything you need for the LDAP support is included with the extension - there are no other dependencies to install.


I believe that I don't have the api-ldap configured, as I can't list the users when I enter the administration area.

You will only see LDAP users in the admin area if you log in successfully with an LDAP account.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

Henri Alves de Godoy
Hi Nick, thanks for reply ! 

My configuration:

guacd-hostname: localhost
guacd-port: 4822

auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider

ldap-hostname: server
ldap-port:              389
ldap-encryption-method: none
ldap-user-base-dn:              ou=Users,ou=ADM,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-dn:            cn=userldap,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-password:     pass
ldap-username-attribute:        sAMAccountName
ldap-follow-referrals: true

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacadmin
mysql-password: pass

And the log not show anything or error, but not binding with AD LDAP

Jun 30 20:28:41 remoto server: 20:28:41.435 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:28:41 remoto server: 20:28:41.627 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.
Jun 30 20:30:58 remoto server: 20:30:58.633 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:30:58 remoto server: 20:30:58.815 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.

Jun 30 20:34:00 remoto server: Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [143.106.230.18, 143.106.231.10] failed.
Jun 30 20:34:07 remoto server: 20:34:07.391 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.494 [http-bio-8443-exec-3] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from [143.106.230.18, 143.106.231.10].
Jun 30 20:34:07 remoto server: 20:34:07.539 [http-bio-8443-exec-3] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:07 remoto server: 20:34:07.563 [http-bio-8443-exec-3] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "guacadmin".
Jun 30 20:34:07 remoto server: 20:34:07.810 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.828 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:08 remoto server: 20:34:08.076 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.

Thanks for help !


Em ter., 30 de jun. de 2020 às 20:54, Nick Couchman <[hidden email]> escreveu:
On Tue, Jun 30, 2020 at 17:15 Henri Alves de Godoy <[hidden email]> wrote:
Hello guys,

 I signed up on the list now and I'm going to ask for my first help from you.

I can only authenticate with LDAP using version 1.0.0.

You’ll need to explain what issues you’re seeing with the 1.1.0 and 1.2.0 versions of the LDAP extension.  Please post log messages and errors you’re receiving.


I know that for version> 1.1.0 there was a change to api-ldap.

How to know or how to install api-ldap on the server?

Yes, the 1.1.0 and later versions use the Apache library instead of the old Novell library.  However, everything you need for the LDAP support is included with the extension - there are no other dependencies to install.


I believe that I don't have the api-ldap configured, as I can't list the users when I enter the administration area.

You will only see LDAP users in the admin area if you log in successfully with an LDAP account.

-Nick


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

Nick Couchman
On Tue, Jun 30, 2020 at 19:07 Henri Alves de Godoy <[hidden email]> wrote:
Hi Nick, thanks for reply ! 

My configuration:

guacd-hostname: localhost
guacd-port: 4822

auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider

This option is not valid and will have no effect.


ldap-hostname: server
ldap-port:              389
ldap-encryption-method: none
ldap-user-base-dn:              ou=Users,ou=ADM,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-dn:            cn=userldap,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-password:     pass
ldap-username-attribute:        sAMAccountName
ldap-follow-referrals: true

Unless you need referrals enabled for traversing your LDAP directory you might try turning this option off.


mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacadmin
mysql-password: pass

And the log not show anything or error, but not binding with AD LDAP

Jun 30 20:28:41 remoto server: 20:28:41.435 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:28:41 remoto server: 20:28:41.627 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.
Jun 30 20:30:58 remoto server: 20:30:58.633 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:30:58 remoto server: 20:30:58.815 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.

Jun 30 20:34:00 remoto server: Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [143.106.230.18, 143.106.231.10] failed.
Jun 30 20:34:07 remoto server: 20:34:07.391 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.494 [http-bio-8443-exec-3] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from [143.106.230.18, 143.106.231.10].
Jun 30 20:34:07 remoto server: 20:34:07.539 [http-bio-8443-exec-3] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:07 remoto server: 20:34:07.563 [http-bio-8443-exec-3] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "guacadmin".
Jun 30 20:34:07 remoto server: 20:34:07.810 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.828 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:08 remoto server: 20:34:08.076 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.

Does the guacadmin user also exist in your LDAP directory?  It looks from these like you’re authenticating with guacadmin successfully and the JDBC user is logging that user in.  What happens when you attempt to authenticate with a user from your LDAP directory?

Keep in mind that, unless the guacadmin user exists in your LDAP directory and has the same password as the database user you won’t be able to see any of the LDAP users with the guacadmin user.  The search user that you specify in the configuration file is only ever used to attempt to locate the user logging in - it is *not* used to enumerate all available users, groups, and/or configurations from LDAP.  Those operations are done as the user who actually logs in.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

Henri Alves de Godoy
Hi Nick,

Yes, I created the same guacadmin user on ldap also with the same password, just like an account on mysql.

In version 1.0.0, I see all my users through the guacadmin account without any problems.

What configuration is missing in the configuration file to list all users, groups and / or settings available in LDAP, and thus appear in the guacadmin user list?

I believe that this detail is the big difference that was in the versions and that it is causing a misunderstanding.

What can be done so that the guacadmin user can perform these operations and list users and groups, in order to assign the connections that we want for each user ?

Thanks !

Henri

Em ter., 30 de jun. de 2020 às 21:44, Nick Couchman <[hidden email]> escreveu:
On Tue, Jun 30, 2020 at 19:07 Henri Alves de Godoy <[hidden email]> wrote:
Hi Nick, thanks for reply ! 

My configuration:

guacd-hostname: localhost
guacd-port: 4822

auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider

This option is not valid and will have no effect.


ldap-hostname: server
ldap-port:              389
ldap-encryption-method: none
ldap-user-base-dn:              ou=Users,ou=ADM,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-dn:            cn=userldap,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-password:     pass
ldap-username-attribute:        sAMAccountName
ldap-follow-referrals: true

Unless you need referrals enabled for traversing your LDAP directory you might try turning this option off.


mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacadmin
mysql-password: pass

And the log not show anything or error, but not binding with AD LDAP

Jun 30 20:28:41 remoto server: 20:28:41.435 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:28:41 remoto server: 20:28:41.627 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.
Jun 30 20:30:58 remoto server: 20:30:58.633 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:30:58 remoto server: 20:30:58.815 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.

Jun 30 20:34:00 remoto server: Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [143.106.230.18, 143.106.231.10] failed.
Jun 30 20:34:07 remoto server: 20:34:07.391 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.494 [http-bio-8443-exec-3] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from [143.106.230.18, 143.106.231.10].
Jun 30 20:34:07 remoto server: 20:34:07.539 [http-bio-8443-exec-3] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:07 remoto server: 20:34:07.563 [http-bio-8443-exec-3] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "guacadmin".
Jun 30 20:34:07 remoto server: 20:34:07.810 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.828 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:08 remoto server: 20:34:08.076 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.

Does the guacadmin user also exist in your LDAP directory?  It looks from these like you’re authenticating with guacadmin successfully and the JDBC user is logging that user in.  What happens when you attempt to authenticate with a user from your LDAP directory?

Keep in mind that, unless the guacadmin user exists in your LDAP directory and has the same password as the database user you won’t be able to see any of the LDAP users with the guacadmin user.  The search user that you specify in the configuration file is only ever used to attempt to locate the user logging in - it is *not* used to enumerate all available users, groups, and/or configurations from LDAP.  Those operations are done as the user who actually logs in.

-Nick


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

Henri Alves de Godoy
Hi Nick,

I just performed a test, I left the guacadmin passwords for LDAP and MYSQL different.

When I type the user with the LDAP password, now he is showing the users. Wow, I can't believe it.

I thought I would be stuck forever in version 1.0.0

But another problem. LDAP login is taking about 8 to 12 seconds. Too much time for the user.

I believe it is because when logging in, you are looking for all kinds of user attributes. Any way to solve this and make it quick?

See example:

Jun 30 23:04:43 remoto server: 23:04:42.952 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (givenName)
Jun 30 23:04:43 remoto server: 23:04:42.956 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (distinguishedName)
Jun 30 23:04:43 remoto server: 23:04:42.960 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (instanceType)
Jun 30 23:04:43 remoto server: 23:04:42.963 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (whenCreated)
Jun 30 23:04:43 remoto server: 23:04:42.967 [NioProcessor-1] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (whenChanged)
Jun 30 23:06:30 remoto server: 23:06:30.203 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (objectClass)
Jun 30 23:06:30 remoto server: 23:06:30.210 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (cn)
Jun 30 23:06:30 remoto server: 23:06:30.214 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (c)
Jun 30 23:06:30 remoto server: 23:06:30.219 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (l)
Jun 30 23:06:30 remoto server: 23:06:30.223 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (st)
Jun 30 23:06:30 remoto server: 23:06:30.227 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (title)
Jun 30 23:06:30 remoto server: 23:06:30.231 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (description)
Jun 30 23:06:30 remoto server: 23:06:30.235 [NioProcessor-4] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (postalCode)
Jun 30 23:06:38 remoto server: 23:06:36.307 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (name)
Jun 30 23:06:38 remoto server: 23:06:36.308 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (objectGUID)
Jun 30 23:06:38 remoto server: 23:06:36.310 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (userAccountControl)
Jun 30 23:06:38 remoto server: 23:06:36.311 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (badPwdCount)
Jun 30 23:06:38 remoto server: 23:06:36.312 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (codePage)
Jun 30 23:06:38 remoto server: 23:06:36.313 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (countryCode)
Jun 30 23:06:38 remoto server: 23:06:36.315 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (badPasswordTime)
Jun 30 23:06:38 remoto server: 23:06:36.316 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (lastLogoff)
Jun 30 23:06:38 remoto server: 23:06:36.317 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (lastLogon)
Jun 30 23:06:38 remoto server: 23:06:36.319 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (pwdLastSet)
Jun 30 23:06:38 remoto server: 23:06:36.320 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (primaryGroupID)
Jun 30 23:06:38 remoto server: 23:06:36.321 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (objectSid)
Jun 30 23:06:38 remoto server: 23:06:36.323 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (adminCount)
Jun 30 23:06:38 remoto server: 23:06:36.324 [NioProcessor-6] DEBUG o.a.d.a.l.c.a.r.s.e.AddAttributeType - MSG_05179_ATTRIBUTE_TYPE (accountExpires)

Thanks

Henri.

Em ter., 30 de jun. de 2020 às 22:04, Henri Alves de Godoy <[hidden email]> escreveu:
Hi Nick,

Yes, I created the same guacadmin user on ldap also with the same password, just like an account on mysql.

In version 1.0.0, I see all my users through the guacadmin account without any problems.

What configuration is missing in the configuration file to list all users, groups and / or settings available in LDAP, and thus appear in the guacadmin user list?

I believe that this detail is the big difference that was in the versions and that it is causing a misunderstanding.

What can be done so that the guacadmin user can perform these operations and list users and groups, in order to assign the connections that we want for each user ?

Thanks !

Henri

Em ter., 30 de jun. de 2020 às 21:44, Nick Couchman <[hidden email]> escreveu:
On Tue, Jun 30, 2020 at 19:07 Henri Alves de Godoy <[hidden email]> wrote:
Hi Nick, thanks for reply ! 

My configuration:

guacd-hostname: localhost
guacd-port: 4822

auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider

This option is not valid and will have no effect.


ldap-hostname: server
ldap-port:              389
ldap-encryption-method: none
ldap-user-base-dn:              ou=Users,ou=ADM,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-dn:            cn=userldap,ou=FCA,dc=fca,dc=unicamp,dc=br
ldap-search-bind-password:     pass
ldap-username-attribute:        sAMAccountName
ldap-follow-referrals: true

Unless you need referrals enabled for traversing your LDAP directory you might try turning this option off.


mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacadmin
mysql-password: pass

And the log not show anything or error, but not binding with AD LDAP

Jun 30 20:28:41 remoto server: 20:28:41.435 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:28:41 remoto server: 20:28:41.627 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.
Jun 30 20:30:58 remoto server: 20:30:58.633 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - [2] Binding AuthenticationProvider "org.apache.guacamole.auth.ldap.LDAPAuthenticationProvider".
Jun 30 20:30:58 remoto server: 20:30:58.815 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "LDAP Authentication" loaded.

Jun 30 20:34:00 remoto server: Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:01 remoto server: 20:34:01.082 [http-bio-8443-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Anonymous authentication attempt from [143.106.230.18, 143.106.231.10] failed.
Jun 30 20:34:07 remoto server: 20:34:07.391 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.494 [http-bio-8443-exec-3] INFO  o.a.g.r.auth.AuthenticationService - User "guacadmin" successfully authenticated from [143.106.230.18, 143.106.231.10].
Jun 30 20:34:07 remoto server: 20:34:07.539 [http-bio-8443-exec-3] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
Jun 30 20:34:07 remoto server: 20:34:07.563 [http-bio-8443-exec-3] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "guacadmin".
Jun 30 20:34:07 remoto server: 20:34:07.810 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:07 remoto server: 20:34:07.828 [http-bio-8443-exec-7] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.
Jun 30 20:34:08 remoto server: 20:34:08.076 [http-bio-8443-exec-3] DEBUG o.a.g.a.mysql.conf.MySQLEnvironment - Database recognized as MySQL 5.5.65.

Does the guacadmin user also exist in your LDAP directory?  It looks from these like you’re authenticating with guacadmin successfully and the JDBC user is logging that user in.  What happens when you attempt to authenticate with a user from your LDAP directory?

Keep in mind that, unless the guacadmin user exists in your LDAP directory and has the same password as the database user you won’t be able to see any of the LDAP users with the guacadmin user.  The search user that you specify in the configuration file is only ever used to attempt to locate the user logging in - it is *not* used to enumerate all available users, groups, and/or configurations from LDAP.  Those operations are done as the user who actually logs in.

-Nick


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

vnick
On Tue, Jun 30, 2020 at 10:15 PM Henri Alves de Godoy <[hidden email]> wrote:
Hi Nick,

I just performed a test, I left the guacadmin passwords for LDAP and MYSQL different.

When I type the user with the LDAP password, now he is showing the users. Wow, I can't believe it.

I thought I would be stuck forever in version 1.0.0

But another problem. LDAP login is taking about 8 to 12 seconds. Too much time for the user.

I believe it is because when logging in, you are looking for all kinds of user attributes. Any way to solve this and make it quick?


You need to turn off debugging in the web application by setting the level in logback.xml back to its default value of "info" rather than "debug".  The Apache Directory API is very verbose in its logging at the debug level, and this can cause delays in the login.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

Henri Alves de Godoy
Hi Nick,

Thanks, that's right, it worked now. Quick login to guacamole using ldap-1.2.0

It is also possible to list users in AD via LDAP in guacadmin for machine assignment.

Problems solved and everything updated to 1.2.0

Thank you

Henri.

Em sex., 3 de jul. de 2020 às 12:27, Nick Couchman <[hidden email]> escreveu:
On Tue, Jun 30, 2020 at 10:15 PM Henri Alves de Godoy <[hidden email]> wrote:
Hi Nick,

I just performed a test, I left the guacadmin passwords for LDAP and MYSQL different.

When I type the user with the LDAP password, now he is showing the users. Wow, I can't believe it.

I thought I would be stuck forever in version 1.0.0

But another problem. LDAP login is taking about 8 to 12 seconds. Too much time for the user.

I believe it is because when logging in, you are looking for all kinds of user attributes. Any way to solve this and make it quick?


You need to turn off debugging in the web application by setting the level in logback.xml back to its default value of "info" rather than "debug".  The Apache Directory API is very verbose in its logging at the debug level, and this can cause delays in the login.

-Nick


--
-- 
Henri Alves Godoy
Tecnologia da Informação e Comunicação
Faculdade de Ciências Aplicadas - FCA
Universidade Estadual de Campinas - UNICAMP
Fone: (19) 3701-6682
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
I, too, think I'm forever stuck on 1.0.0.  After my failures in staging
1.2.0, I was excited to try stable 1.2.0, however I just cannot get LDAP to
work.

This time around, there is nothing in my AD log from this guac server
running stable 1.2.0, and there is nothing about LDAP at all in my catalina
logs.  I cannot log in as any AD user either, it immediately says the login
failed.  However, guacamole-auth-ldap-1.2.0.jar exists in
/var/lib/guacamole/extensions folder.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

vnick
On Mon, Jul 6, 2020 at 12:38 PM carlog <[hidden email]> wrote:
I, too, think I'm forever stuck on 1.0.0.  After my failures in staging
1.2.0, I was excited to try stable 1.2.0, however I just cannot get LDAP to
work.

This time around, there is nothing in my AD log from this guac server
running stable 1.2.0, and there is nothing about LDAP at all in my catalina
logs.  I cannot log in as any AD user either, it immediately says the login
failed.  However, guacamole-auth-ldap-1.2.0.jar exists in
/var/lib/guacamole/extensions folder.


You might try switching over to /etc/guacamole for the GUACAMOLE_HOME directory.  This changed to the default several releases ago, and, unless you have linked /etc/guacamole to /var/lib/guacamole, you might be having issues if the files are not in the expected location.  I would suggest just moving everything to /etc/guacamole and working from there.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
Just tried that- no luck.  Even before moving the extensions, I think it
should have worked because the totp extension is there, and that one works
successfully.  LDAP doesn't seem to be doing anything at all.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
OK.  Complete reinstall (fresh guacamole), and now I'm seeing LDAP queries
hit my AD server.  I still can't log in.  When I try an AD/LDAP user with
the correct user name and password, I get a full white screen with an error
that says "An error has occurred and this action cannot be completed. If the
problem persists, please notify your system administrator or check your
system logs."



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
Looking at the localhost_access_log, I see these

"POST /guacamole/api/tokens HTTP/1.1" 500 214
"POST /guacamole/api/tokens HTTP/1.1" 403 269

I believe I have the logging level at FINEST, but I'm not sure how to see
what's causing these 500 and 403 errors.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

vnick
On Tue, Jul 7, 2020 at 12:56 PM carlog <[hidden email]> wrote:
Looking at the localhost_access_log, I see these

"POST /guacamole/api/tokens HTTP/1.1" 500 214
"POST /guacamole/api/tokens HTTP/1.1" 403 269


The Tomcat catalina.out should contain some more helpful error messages.  Access log is just going to give you the access requests and not going to give you much information as to why that 500 is happening.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
My catalina.out only has 1 line.

tomcat-7.0.76 RPM installed



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

mjumper
Administrator
Your Tomcat logs are likely in the systemd journal (viewed using journalctl).

- Mike

On Tue, Jul 7, 2020, 10:17 carlog <[hidden email]> wrote:
My catalina.out only has 1 line.

tomcat-7.0.76 RPM installed



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
Ah!  Now we're getting somewhere.

INO o.a.g.r.auth.AuthenticationService - User "myuser" successfully
authenticated from [ipaddress].
ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
### Error updating database.  Cause:
java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot
be null
### The error may involve
org.apache.guacamole.auth.jdbc.user.UserMapper.insertAttributes-Inline
eters
### The error occurred while setting parameters
### SQL: INSERT INTO guacamole_user_attribute (
user_id,attribute_name,attribute_value)
### Cause: java.sql.SQLIntegrityConstraintViolationException: Column
'user_id' cannot be null






--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

vnick
On Tue, Jul 7, 2020 at 2:49 PM carlog <[hidden email]> wrote:
Ah!  Now we're getting somewhere.

INO o.a.g.r.auth.AuthenticationService - User "myuser" successfully
authenticated from [ipaddress].
ERROR o.a.g.rest.RESTExceptionMapper - Unexpected internal error:
### Error updating database.  Cause:
java.sql.SQLIntegrityConstraintViolationException: Column 'user_id' cannot
be null
### The error may involve
org.apache.guacamole.auth.jdbc.user.UserMapper.insertAttributes-Inline
eters
### The error occurred while setting parameters
### SQL: INSERT INTO guacamole_user_attribute (
user_id,attribute_name,attribute_value)
### Cause: java.sql.SQLIntegrityConstraintViolationException: Column
'user_id' cannot be null



You said earlier that you have the TOTP extension installed?  If that's the case, you likely need to enable the option to auto-create users within the database.  Depending on what DB you're using, this is done with one of the following options:

mysql-auto-create-accounts: true
postgresql-auto-create-accounts: true
sqlserver-auto-create-accounts: true

This will allow users authenticated through LDAP to be automatically created in the JDBC module, which will then allow them to be configured for TOTP.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: auth-ldap 1.1.0/1.2.0 not bind

carlog
Bingo!  That was it.  I tend use install scripts like Zer0CooX or
MysticRyuujin, and those don't seem to add that if you choose TOTP.  I'll
contact them to let them know.  



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]