Krzysztof Gorny created GUACAMOLE-2027:
------------------------------------------
Summary: Problems with LDAPS authentication
Key: GUACAMOLE-2027
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2027
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-ldap
Affects Versions: 1.5.5
Environment: Ubuntu 24.04
Reporter: Krzysztof Gorny
Fix For: 1.5.5
I would like to ask you for help. In our environment We are installing fresh
Guacamole Server in version 1.5.5 on latest Ubuntu server 24.04. We are
configuring Guacamole to use Posgresql database so we are installing also
Posgresql in ver 42.7.5. During configuration we are installing also Java in
below version:
openjdk version "21.0.5" 2024-10-15
OpenJDK Runtime Environment (build 21.0.5+11-Ubuntu-1ubuntu124.04)
OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu124.04, mixed mode,
sharing)
Also We need authentication with our Active Directory.
We performed installation of Tomcat9 and also Guacamole-auth-ldap-1.5.5. After
that we added our CA Certificate to Java Trust store:
??/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts
-keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass
changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert.pem??
and Ubuntu CA
??cp RootCAcert.crt /usr/local/share/ca-certificates??
??update-ca-certificates??
We confirmed that certificate and port is working as we performed below query
and connection was successful:
??ldapsearch -xLLLH ldaps://FQDNofLDAP:636 -D
"cn=AccountFromGuacamole.Properties" -w "CorrectPassword" -b
"ldap-user-base-dnEntry" -s sub "(sAMAccountName=UserFromAD)" sAMAccountName -o
tls_cacert=/etc/ssl/certs/RootCAcert.pem??
After that we configured guacamole.properties with correct values as follows:
ldap-hostname: FQDNofLDAP
ldap-port: 636
ldap-encryption-metod: ssl
ldap-user-base-dn: CorrectlyFulfilled
ldap-username-attribute: sAMAccountName
ldap-search-bind-dn: CorrectlyFulfilled
ldap-search-bind-password: CorrectPassword@Ap7
We perform restart of tomcat9 and restart of guacd.
Unfortunately after above actions we have problem. When we try to log in to
Guacamole using our AD credentials we receive error "Invalid Login" on website.
In catalina.out log we see errors:
??[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR
o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
"FQDNofLDAP" as user "cn=AccountFromGuacamole.Properties" failed:
PROTOCOL_ERROR: The server will disconnect!??
??[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR
o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
"cn=AccountFromGuacamole.Properties"??
??[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO
o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user
"UserFromAD" using LDAP server "FQDNofLDAP". Proceeding with next server...??
??[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO
o.a.g.a.l.AuthenticationProviderService - User "testuser" did not successfully
authenticate against any LDAP server.??
??[2025-01-30 08:55:15] [info] 08:55:15.644 [http-nio-8080-exec-1] WARN
o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.18.8.7 for
user "UserFromAD" failed.??
When we configured logback.xml to show Debug events we see also below errors:
??[2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG
o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED ()??
??[2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG
o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED ()??
??[2025-01-30 13:22:23] [info] 13:22:23.288 [http-nio-8080-exec-9] DEBUG
o.a.d.l.c.api.LdapNetworkConnection - MSG_04100_BIND_FAIL (MessageType :
BIND_RESPONSE??
??[2025-01-30 13:22:23] [info] Message ID : -1??
??[2025-01-30 13:22:23] [info] BindResponse??
??[2025-01-30 13:22:23] [info] Ldap Result??
??[2025-01-30 13:22:23] [info] Result code : (PROTOCOL_ERROR)
protocolError??
??[2025-01-30 13:22:23] [info] Matched Dn : 'null'??
??[2025-01-30 13:22:23] [info] Diagnostic message :
'PROTOCOL_ERROR: The server will disconnect!'??
??[2025-01-30 13:22:23] [info] )??
??[2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] ERROR
o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
"FQDNofLDAP" as user "CorrectlyFulfilledDN" failed: PROTOCOL_ERROR: The server
will disconnect!??
??[2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] DEBUG
o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server.??
??[2025-01-30 13:22:23] [info]
org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException:
PROTOCOL_ERROR: The server will disconnect!??
Problem is not occurring when we change in guacamole.properties below two
values:
ldap-port: 389
ldap-encryption-metod: none
Additionally in separate test we have tried use:
??openssl s_client -connect FQDNofLDAP:636 -showcerts </dev/null 2>/dev/null |
openssl x509 -outform pem > RootCAcert2.pem??
??cp RootCAcert2.pem /etc/ssl/certs/ RootCAcert2.pem??
??/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts
-keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass
changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert2.pem??
but the certificate did not work too. Unfortunately we would like to use LDAPS
not only LDAP. In other programs connection is working without problems.
Could you be so kind and help identify a problem and find solution for this?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
