[
https://issues.apache.org/jira/browse/GUACAMOLE-2027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman closed GUACAMOLE-2027.
------------------------------------
Resolution: Invalid
Please start your request for help on the Guacamole Mailing List - Jira is not
a support forum, and it is likely that the issue you've encountered is just a
configuration issue.
https://guacamole.apache.org/support/#mailing-lists
> Problems with LDAPS authentication
> ----------------------------------
>
> Key: GUACAMOLE-2027
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2027
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 1.5.5
> Environment: Ubuntu 24.04
> Reporter: Krzysztof Gorny
> Priority: Critical
> Labels: newbie
> Fix For: 1.5.5
>
>
> I would like to ask you for help. In our environment We are installing fresh
> *Guacamole Server in version 1.5.5* on latest {*}Ubuntu server 24.04{*}. We
> are configuring Guacamole to use Posgresql database so we are installing also
> {*}Posgresql in ver 42.7.5{*}. During configuration we are installing also
> Java in below version:
> {{openjdk version "21.0.5" 2024-10-15}}
> {{OpenJDK Runtime Environment (build 21.0.5+11-Ubuntu-1ubuntu124.04)}}
> {{OpenJDK 64-Bit Server VM (build 21.0.5+11-Ubuntu-1ubuntu124.04, mixed mode,
> sharing)}}
> Also We need authentication with our Active Directory.
> We performed installation of *Tomcat9* and also
> {*}Guacamole-auth-ldap-1.5.5{*}. After that we added our CA Certificate to
> Java Trust store:
> {{/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts
> -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass
> changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert.pem}}
>
> and Ubuntu CA
> {{cp RootCAcert.crt /usr/local/share/ca-certificates}}
> {{update-ca-certificates}}
> We confirmed that certificate and port is working as we performed below query
> and connection was successful:
> {{ldapsearch -xLLLH ldaps://FQDNofLDAP:636 -D
> "cn=AccountFromGuacamole.Properties" -w "CorrectPassword" -b
> "ldap-user-base-dnEntry" -s sub "(sAMAccountName=UserFromAD)" sAMAccountName
> -o tls_cacert=/etc/ssl/certs/RootCAcert.pem}}
>
> After that we configured *guacamole.properties* with correct values as
> follows:
> {{ldap-hostname: FQDNofLDAP}}
> {{ldap-port: 636}}
> {{ldap-encryption-metod: ssl}}
> {{ldap-user-base-dn: CorrectlyFulfilled}}
> {{ldap-username-attribute: sAMAccountName}}
> {{ldap-search-bind-dn: CorrectlyFulfilled}}
> {{ldap-search-bind-password: CorrectPassword}}
> We perform restart of tomcat9 and restart of guacd.
> Unfortunately after above actions we have problem. When we try to log in to
> Guacamole using our AD credentials we receive error "Invalid Login" on
> website.
> In *catalina.out* log we see errors:
> {{[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
> "FQDNofLDAP" as user "cn=AccountFromGuacamole.Properties" failed:
> PROTOCOL_ERROR: The server will disconnect!}}
> {{[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN
> "cn=AccountFromGuacamole.Properties"}}
> {{[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO
> o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user
> "UserFromAD" using LDAP server "FQDNofLDAP". Proceeding with next server...}}
> {{[2025-01-30 08:55:15] [info] 08:55:15.643 [http-nio-8080-exec-1] INFO
> o.a.g.a.l.AuthenticationProviderService - User "testuser" did not
> successfully authenticate against any LDAP server.}}
> {{[2025-01-30 08:55:15] [info] 08:55:15.644 [http-nio-8080-exec-1] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.18.8.7
> for user "UserFromAD" failed.}}
> When we configured *logback.xml* to show Debug events we see also below
> errors:
> {{[2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG
> o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED ()}}
> {{[2025-01-30 13:22:23] [info] 13:22:23.281 [NioProcessor-1] DEBUG
> o.a.d.l.c.api.LdapNetworkConnection - MSG_04137_NOD_RECEIVED ()}}
> {{[2025-01-30 13:22:23] [info] 13:22:23.288 [http-nio-8080-exec-9] DEBUG
> o.a.d.l.c.api.LdapNetworkConnection - MSG_04100_BIND_FAIL (MessageType :
> BIND_RESPONSE}}
> {{[2025-01-30 13:22:23] [info] Message ID : -1}}
> {{[2025-01-30 13:22:23] [info] BindResponse}}
> {{[2025-01-30 13:22:23] [info] Ldap Result}}
> {{[2025-01-30 13:22:23] [info] Result code : (PROTOCOL_ERROR)
> protocolError}}
> {{[2025-01-30 13:22:23] [info] Matched Dn : 'null'}}
> {{[2025-01-30 13:22:23] [info] Diagnostic message :
> 'PROTOCOL_ERROR: The server will disconnect!'}}
> {{[2025-01-30 13:22:23] [info] )}}
> {{[2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] ERROR
> o.a.g.a.ldap.LDAPConnectionService - Binding with the LDAP server at
> "FQDNofLDAP" as user "CorrectlyFulfilledDN" failed: PROTOCOL_ERROR: The
> server will disconnect!}}
> {{[2025-01-30 13:22:23] [info] 13:22:23.289 [http-nio-8080-exec-9] DEBUG
> o.a.g.a.ldap.LDAPConnectionService - Unable to bind to LDAP server.}}
> {{[2025-01-30 13:22:23] [info]
> org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException:
> PROTOCOL_ERROR: The server will disconnect!}}
> Problem is not occurring when we change in guacamole.properties below two
> values:
> {{ldap-port: 389}}
> {{ldap-encryption-metod: none}}
>
> Additionally in separate test we have tried use:
> {{openssl s_client -connect FQDNofLDAP:636 -showcerts </dev/null 2>/dev/null
> | openssl x509 -outform pem > RootCAcert2.pem}}
> {{cp RootCAcert2.pem /etc/ssl/certs/ RootCAcert2.pem}}
> {{/usr/lib/jvm/java-21-openjdk-amd64/bin/keytool -import -trustcacerts
> -keystore /usr/lib/jvm/java-21-openjdk-amd64/lib/security/cacerts -storepass
> changeit -noprompt -alias RootCA -file /etc/ssl/certs/RootCAcert2.pem}}
>
> but the certificate did not work too. Unfortunately we would like to use
> LDAPS not only LDAP. In other programs connection is working without problems.
>
> Could you be so kind and help identify a problem and find solution for this?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
