If you don’t want to add all your users to the guacamole db for authentication you can combine the DB authentication with LDAP authentication. (You don’t have to modify your LDAP)
First download and install the LDAP auth extension:
wget http://apache.mirror.iphh.net/guacamole/1.1.0/binary/guacamole-auth-ldap-1.1.0.tar.gz tar xvzf guacamole-auth-ldap-1.1.0.tar.gz cp /usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar /etc/guacamole/extensions/
Now configurate ‚/etc/guacamole/guacamole.properties‘ with your favorite editor and add the following lines:
# Auth provider class auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # LDAP properties ldap-hostname: YOUR_LDAP_SERVER ldap-port: 389 ldap-user-base-dn: ou=YOUR_OU,o=company,c=de ldap-username-attribute: cn ldap-config-base-dn: ou=YOUR_OU,c=company,c=de ldap-encryption-method: starttls
To use TLS i have to import the certificate of the LDAP server:
keytool -cacerts -importcert -alias RootCA -file RootCA.pem
Note: The default password of the keystore is „changeit“.
Now restart tomcat and test it:
systemctl restart tomcat9
Your LDAP-Settings may be complete different to my settings:
If your Server uses ssl please change the ldap-encryption-method:
ldap-encryption-method: ssl
or to none if you don’t want to use encryption:
ldap-encryption-method: none
If you need to bind with a user to your LDAP-Server add this lines:
ldap-search-bind-dn:cn=username,ou=YOUR_OU,o=company,c=de ldap-search-bind-password:YOUR_PASSWORD
Here is an example to limit the login to one or two usergroups:
ldap-user-search-filter:(&(objectClass=posixAccount)(|(groupMembership=cn=YOUR_FIRST_GROUP,ou=YOUR_OU,o=company,c=de)))
ldap-user-search-filter:(&(objectClass=posixAccount)(|(groupMembership=cn=YOUR_FIRST_GROUP,ou=YOUR_OU,o=company,c=de)(groupMembership=cn=YOUR_SECOND_GROUP,ou=YOUR_OU,o=company,c=de)))
If you use an Microsoft AD-Server as your LDAP-Server your config maybe look like this:
ldap-hostname: AD_SERVER ldap-port: 389 ldap-user-base-dn: OU=Users,DC=company,DC=de ldap-username-attribute: samAccountName ldap-config-base-dn: OU=Users,DC=company,DC=de ldap-encryption-method: none
If your LDAP authentication works you should login one more time with the guacadmin and give admin privileges to your LDAP user (Add new User with your LDAP-Username). Now use your LDAP user and login again. You should see all LDAP users and groups in your guacamole admin.
CLAIN
9 Juli 2020Don’t work for me with Windows Server 2012 R2 – Active Directory
sebastian
9 Juli 2020Hi,
i tested it with AD on Windows 2012 R2. Have you turned on the debugging (Part 1 #8)?
Martin
10 Aug. 2020Didn’t work LDAP auth.
Installed on Debian 10, but when log in to Guacamole users does not appear.
sebastian
11 Aug. 2020Hi,
this is normal.
You need to login with an user which is allowed to query the LDAP.
This ist why the guacadmin didn’t see any users or groups.
Login with an LDAP user (which is allowed to read all users and groups from your LDAP) and you should see your users.
Greetings
Sebastian
Martin
12 Aug. 2020Hi Sebastian, thanks for your answer.
I’ve created an LDAP user, but still cant auth with ActiveDirectory
This is what the config looks like
# LDAP properties
ldap-hostname: ad.local
ldap-port: 389
ldap-user-base-dn: CN=Users,dc=company,dc=local
ldap-config-base-dn: CN=Users,dc=company,dc=local
ldap-encryption-method: none
Thanks!
Leandro
10 Okt. 2020Hi Martin,
I would like to know if you are able to solve the authentication failure, I have the same problem.
igoreshenka
19 Aug. 2020Hi Sebastian,
Please fix the guide, you are download and extract different versions of ldap connectors.
igoreshka
20 Aug. 2020My bad, problem was in my env =)
Faraz
10 Nov. 2020Hi There,
I have 2 Guacamole servers configured
1 with Debain and XML setup
2 with Debain and Guacamole Docker
I have followed your instructions but while download and install LDAP auth it gave me a following error since there is no /directory under /usr/src/
22:12 root@hostname [host]:~# cp /usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar /etc/guacamole/extensions/
cp: cannot stat ‚/usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar‘: No such file or directory
Shreyans Barthwal
24 Nov. 2021Hi Everyone.
I have setup guacamole in my infra and is working using DB Users. I have done LDAP configuration and it is getting authenticated using service user account (have domain admin access) that is created. I am able to authenticate a user under the OU but i am not able to authenticate any user through Group. Kindly suggest the parameters to use in guacamole.properties for authenticating Groups and any other checks which need to be done so that all users under that group reflects in my guacamole portal
Henning deidari
1 März 2022Hi Shreyans Barthwal,
We encounter the same problem. Did you solve it? Every AD-Group is displaying empty membership.
Kind regards,
Henning
Henning deidari
2 März 2022Hi Shreyans Barthwal,
we encounter the same Problem. Did you solve the problem? Can u help?
highland
12 Apr. 2022This is my working configuration, db installation also required.
guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: Password_here
# LDAP properties
ldap-hostname: ADserver_here
ldap-port: 389
ldap-user-base-dn: DC=domain,DC=here
ldap-username-attribute: samAccountName
ldap-config-base-dn: DC=domain,DC=here
ldap-encryption-method: none
ldap-search-bind-dn: BindUser@domain.here
ldap-search-bind-password: Password_here
ldap-user-search-filter: (|(memberOf=CN=Group1,CN=Users,DC=domain,DC=here)(memberOf=CN=Group2,CN=Users,DC=domain,DC=here))
#TOTP properties
totp-issuer: Guacamole TOTP
Vittor de Castro
5 Aug. 2022I was reading about using LDAP to store connection data instead of using the database for it. I created a GuacConfigGroup and it’s guacConfigParameter is like this:
domain=contoso.com
hostname=${LDAP_POBOX}
password={GUAC_PASSWORD}
port=3389
username=${GUAC_USERNAME}
my guacamole.properties has this on the end of the file:
ldap-user-attributes: PObox, info
The PObox attribute of the user is the IP address of the server I’m trying to connect, when I change the hostname attribute of the guacConfigGroup to the IP or a DNS It connects normally, but when I try to use the AD attribute it doesn’t connect and I get this on the guacd syslog:
guacd[31714]: RDP server closed/refused connection: DNS lookup failed (incorrect hostname?)
does anyone know how to see if the guacd is even using the correct LDAP parameter?