[
https://issues.apache.org/jira/browse/GUACAMOLE-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035062#comment-18035062
]
Jan Thumser commented on GUACAMOLE-2127:
----------------------------------------
I am also experiencing this issue in a bare docker environment, no Kubernetes
not even compose.
After updating from 1.5.5 to 1.6.0 non-LDAP users such as the local admin can
no longer log in and LDAP users who can log in see no connections available.
Absolutely nothing was changed except pulling the new 1.6.0 container images
for guacd and guacamole.
I configure both POSTGRES_PORT and POSTGRESQL_PORT environment variables for
the guacamole/guacamole:1.6.0 container, both are set to 5432. Reason I set
both is for compatibility, to ensure guacamole versions before and after 1.5.2
both work with this config.
This is what "docker container inspect guacamole" shows for the ENV variables:
{noformat}
"Env": [
"POSTGRES_HOSTNAME=postgres.domain.tld",
"POSTGRES_PORT=5432",
"POSTGRES_DATABASE=guacamole-db",
"POSTGRES_USER=guacamole_user",
"POSTGRES_PASSWORD=<REDACTED>",
"POSTGRES_DEFAULT_STATEMENT_TIMEOUT=20",
"POSTGRES_SOCKET_TIMEOUT=20",
"POSTGRESQL_HOSTNAME=postgres.domain.tld",
"POSTGRESQL_PORT=5432",
"POSTGRESQL_DATABASE=guacamole-db",
"POSTGRESQL_USER=guacamole_user",
"POSTGRESQL_PASSWORD=<REDACTED>",
"POSTGRESQL_DEFAULT_STATEMENT_TIMEOUT=20",
"POSTGRESQL_SOCKET_TIMEOUT=20",
"GUACAMOLE_HOME=/guacamole-home",
"WEBAPP_CONTEXT=ROOT",
"GUACD_HOSTNAME=guacd",
"GUACD_PORT=4822",
"JAVA_TOOL_OPTIONS=-Djavax.net.ssl.trustStore=\"/guacamole-home/internalca.jks\"",
"JDK_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=\"/guacamole-home/internalca.jks\"",
"PATH=/usr/local/tomcat/bin:/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"JAVA_HOME=/opt/java/openjdk",
"LANG=en_US.UTF-8",
"LANGUAGE=en_US:en",
"LC_ALL=en_US.UTF-8",
"JAVA_VERSION=jdk-21.0.7+6",
"CATALINA_HOME=/usr/local/tomcat",
"TOMCAT_NATIVE_LIBDIR=/usr/local/tomcat/native-jni-lib",
"LD_LIBRARY_PATH=/usr/local/tomcat/native-jni-lib",
"TOMCAT_MAJOR=9",
"TOMCAT_VERSION=9.0.106",
"TOMCAT_SHA512=0b316af119fd9a69761c20bc7f9959513884002fc60f490af6335380a3a62549777bf35a1e8dd3c448e56da8ddcb9dc2301d3b01bba304537ca40456c650c25a",
"BAN_ENABLED=true",
"ENABLE_FILE_ENVIRONMENT_PROPERTIES=true"
]{noformat}
and this is my guacamole.properties:
{code:java}
enable-environment-properties: true
totp-issuer: Company Guacamole
totp-mode: sha1
postgresql-user-password-min-length: 8
enable-clipboard-integration: true
postgresql-ssl-mode: require
ldap-hostname: adserver.domain.tld
ldap-port: 636
ldap-encryption-method: ssl
ldap-search-bind-dn: <REDACTED_DISTINGUISHEDNAME_OF_USER>
ldap-search-bind-password: <REDACTED>
ldap-user-base-dn: DC=domain,DC=tld
ldap-username-attribute: sAMAccountName, UserPrincipalName
ldap-user-search-filter:
(&(objectCategory=person)(objectClass=user)(memberOf=<REDACTED_DISTINGUISHEDNAME_OF_GROUP>))
{code}
And this is the messages I get in the guacamole container logs:
{noformat}
WARNING: The "POSTGRES_USER" environment variable has been deprecated in favor
of "POSTGRESQL_USERNAME". Please migrate your configuration when possible, as
support for the older name may be removed in future releases.
WARNING: The "POSTGRESQL_USER" environment variable has been deprecated in
favor of "POSTGRESQL_USERNAME". Please migrate your configuration when
possible, as support for the older name may be removed in future releases.
WARNING: The "POSTGRES_" prefix for environment variables has been deprecated
in favor of the "POSTGRESQL_" prefix. Please migrate your configuration when
possible, as support for the older prefix may be removed in future releases.
[...]
13:55:11.305 [main] ERROR o.a.g.extension.ProviderFactory - authentication
provider extension failed to start: Property "postgresql-port" must be an
integer.
13:55:11.306 [main] ERROR o.a.g.extension.ProviderFactory - authentication
provider extension failed to start: Property "postgresql-port" must be an
integer.
13:55:11.324 [main] INFO o.a.g.extension.ExtensionModule - Extension
"PostgreSQL Authentication" (postgresql) loaded.
[...]
// Then, upon attempting to sign in once as a local database user account:
13:58:19.413 [http-nio-8080-exec-7] WARN o.a.g.e.AuthenticationProviderFacade
- Authentication attempt ignored because the relevant authentication provider
could not be loaded. Please check for errors earlier in the logs.
13:58:19.413 [http-nio-8080-exec-7] WARN o.a.g.e.AuthenticationProviderFacade
- Authentication attempt ignored because the relevant authentication provider
could not be loaded. Please check for errors earlier in the logs.
13:58:21.896 [http-nio-8080-exec-2] WARN o.a.g.e.AuthenticationProviderFacade
- Authentication attempt ignored because the relevant authentication provider
could not be loaded. Please check for errors earlier in the logs.
13:58:21.897 [http-nio-8080-exec-2] WARN o.a.g.e.AuthenticationProviderFacade
- Authentication attempt ignored because the relevant authentication provider
could not be loaded. Please check for errors earlier in the logs.
[...]
13:58:22.288 [http-nio-8080-exec-2] INFO
o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user
"guacadmin" using LDAP server "adserver.domain.tld". Proceeding with next
server...
13:58:22.288 [http-nio-8080-exec-2] INFO
o.a.g.a.l.AuthenticationProviderService - User "guacadmin" did not successfully
authenticate against any LDAP server.
13:58:22.290 [NioProcessor-1] WARN o.a.d.l.c.api.LdapNetworkConnection - null
org.apache.mina.core.write.WriteToClosedSessionException: null
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.clearWriteRequestQueue(AbstractPollingIoProcessor.java:1192)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.removeNow(AbstractPollingIoProcessor.java:1153)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.removeSessions(AbstractPollingIoProcessor.java:864)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:694)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
13:58:22.294 [http-nio-8080-exec-2] INFO
o.a.g.a.b.s.InMemoryAuthenticationFailureTracker - Authentication has failed
for address "10.xxx.xxx.xxx" (current total failures: 1/5).
13:58:22.294 [http-nio-8080-exec-2] WARN o.a.g.event.EventLoggingListener -
Authentication attempt from 10.xxx.xxx.xxx for user "guacadmin" failed: Invalid
login. (rejected by "ldap"){noformat}
I guess it's trying to authenticate the user "guacadmin" against LDAP because
it cannot make the connection to the PostgreSQL databse, which obviously fails.
LDAP users can sign in, but aren't asked for their TOTP 2FA as they should be
and they see no available connections upon login.
This is quite a major breaking change, basically guacamole doesn't function at
all anymore after updating from 1.5.5 to 1.6.0.
> Docker - Property "postgresql-port" must be an integer
> ------------------------------------------------------
>
> Key: GUACAMOLE-2127
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2127
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole
> Affects Versions: 1.6.0
> Reporter: PIERRE PINTARIC
> Priority: Minor
>
> Hello Guys,
> I am upgrading from Guacamole 1.5.5 to 1.6.0
> Everything works fine with Guacamole 1.5.5. I only change the tag version
> number to 1.6.0
> Now I have this error
> [main] ERROR o.a.g.extension.ProviderFactory - authentication provider
> extension failed to start: Property "postgresql-port" must be an integer.
> And of course, I am not able to connect to Guacamole anymore
> I am using Kubernetes instead of Docker, and the variables is set as:
> {{ - name: POSTGRES_PORT}}
> {{ value: '5432'}}
> Any idea?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
