Setup LDAP/AD authentication for Guacamole 1.1.0 (Part 3)

Setup LDAP/AD authentication for Guacamole 1.1.0 (Part 3)

If you don’t want to add all your users to the guacamole db for authentication you can combine the DB authentication with LDAP authentication. (You don’t have to modify your LDAP)

First download and install the LDAP auth extension:

wget http://apache.mirror.iphh.net/guacamole/1.1.0/binary/guacamole-auth-ldap-1.1.0.tar.gz
tar xvzf guacamole-auth-ldap-1.1.0.tar.gz
cp /usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar /etc/guacamole/extensions/

Now configurate ‚/etc/guacamole/guacamole.properties‘ with your favorite editor and add the following lines:

# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

# LDAP properties
ldap-hostname:           YOUR_LDAP_SERVER
ldap-port:               389
ldap-user-base-dn:       ou=YOUR_OU,o=company,c=de
ldap-username-attribute: cn
ldap-config-base-dn:     ou=YOUR_OU,c=company,c=de
ldap-encryption-method:  starttls

To use TLS i have to import the certificate of the LDAP server:

keytool -cacerts -importcert -alias RootCA -file RootCA.pem

Note: The default password of the keystore is „changeit“.

Now restart tomcat and test it:

systemctl restart tomcat9

Your LDAP-Settings may be complete different to my settings:

If your Server uses ssl please change the ldap-encryption-method:

ldap-encryption-method:  ssl

or to none if you don’t want to use encryption:

ldap-encryption-method:  none

If you need to bind with a user to your LDAP-Server add this lines:

ldap-search-bind-dn:cn=username,ou=YOUR_OU,o=company,c=de
ldap-search-bind-password:YOUR_PASSWORD

Here is an example to limit the login to one or two usergroups:

ldap-user-search-filter:(&(objectClass=posixAccount)(|(groupMembership=cn=YOUR_FIRST_GROUP,ou=YOUR_OU,o=company,c=de)))

ldap-user-search-filter:(&(objectClass=posixAccount)(|(groupMembership=cn=YOUR_FIRST_GROUP,ou=YOUR_OU,o=company,c=de)(groupMembership=cn=YOUR_SECOND_GROUP,ou=YOUR_OU,o=company,c=de)))

If you use an Microsoft AD-Server as your LDAP-Server your config maybe look like this:

ldap-hostname:           AD_SERVER
ldap-port:               389
ldap-user-base-dn:       OU=Users,DC=company,DC=de
ldap-username-attribute: samAccountName
ldap-config-base-dn:     OU=Users,DC=company,DC=de
ldap-encryption-method:  none

If your LDAP authentication works you should login one more time with the guacadmin and give admin privileges to your LDAP user (Add new User with your LDAP-Username). Now use your LDAP user and login again. You should see all LDAP users and groups in your guacamole admin.

This Post Has 14 Comments

  1. CLAIN

    9 Jul 2020 Antworten

    Don’t work for me with Windows Server 2012 R2 – Active Directory

    1. sebastian

      9 Jul 2020 Antworten

      Hi,
      i tested it with AD on Windows 2012 R2. Have you turned on the debugging (Part 1 #8)?

  2. Martin

    10 Aug 2020 Antworten

    Didn’t work LDAP auth.
    Installed on Debian 10, but when log in to Guacamole users does not appear.

    1. sebastian

      11 Aug 2020 Antworten

      Hi,
      this is normal.
      You need to login with an user which is allowed to query the LDAP.
      This ist why the guacadmin didn’t see any users or groups.
      Login with an LDAP user (which is allowed to read all users and groups from your LDAP) and you should see your users.
      Greetings
      Sebastian

      1. Martin

        12 Aug 2020 Antworten

        Hi Sebastian, thanks for your answer.
        I’ve created an LDAP user, but still cant auth with ActiveDirectory
        This is what the config looks like

        # LDAP properties
        ldap-hostname: ad.local
        ldap-port: 389
        ldap-user-base-dn: CN=Users,dc=company,dc=local
        ldap-config-base-dn: CN=Users,dc=company,dc=local
        ldap-encryption-method: none

        Thanks!

        1. Leandro

          10 Okt 2020 Antworten

          Hi Martin,
          I would like to know if you are able to solve the authentication failure, I have the same problem.

  3. igoreshenka

    19 Aug 2020 Antworten

    Hi Sebastian,

    Please fix the guide, you are download and extract different versions of ldap connectors.

    1. igoreshka

      20 Aug 2020 Antworten

      My bad, problem was in my env =)

  4. Faraz

    10 Nov 2020 Antworten

    Hi There,

    I have 2 Guacamole servers configured

    1 with Debain and XML setup

    2 with Debain and Guacamole Docker

    I have followed your instructions but while download and install LDAP auth it gave me a following error since there is no /directory under /usr/src/

    22:12 root@hostname [host]:~# cp /usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar /etc/guacamole/extensions/
    cp: cannot stat ‚/usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar‘: No such file or directory

  5. Shreyans Barthwal

    24 Nov 2021 Antworten

    Hi Everyone.

    I have setup guacamole in my infra and is working using DB Users. I have done LDAP configuration and it is getting authenticated using service user account (have domain admin access) that is created. I am able to authenticate a user under the OU but i am not able to authenticate any user through Group. Kindly suggest the parameters to use in guacamole.properties for authenticating Groups and any other checks which need to be done so that all users under that group reflects in my guacamole portal

  6. Henning deidari

    1 Mrz 2022 Antworten

    Hi Shreyans Barthwal,

    We encounter the same problem. Did you solve it? Every AD-Group is displaying empty membership.

    Kind regards,
    Henning

  7. Henning deidari

    2 Mrz 2022 Antworten

    Hi Shreyans Barthwal,

    we encounter the same Problem. Did you solve the problem? Can u help?

  8. highland

    12 Apr 2022 Antworten

    This is my working configuration, db installation also required.

    guacd-hostname: localhost
    guacd-port: 4822
    user-mapping: /etc/guacamole/user-mapping.xml
    auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
    # Auth provider class
    auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

    # MySQL properties
    mysql-hostname: localhost
    mysql-port: 3306
    mysql-database: guacamole_db
    mysql-username: guacamole_user
    mysql-password: Password_here

    # LDAP properties
    ldap-hostname: ADserver_here
    ldap-port: 389
    ldap-user-base-dn: DC=domain,DC=here
    ldap-username-attribute: samAccountName
    ldap-config-base-dn: DC=domain,DC=here
    ldap-encryption-method: none
    ldap-search-bind-dn: BindUser@domain.here
    ldap-search-bind-password: Password_here
    ldap-user-search-filter: (|(memberOf=CN=Group1,CN=Users,DC=domain,DC=here)(memberOf=CN=Group2,CN=Users,DC=domain,DC=here))

    #TOTP properties
    totp-issuer: Guacamole TOTP

  9. Vittor de Castro

    5 Aug 2022 Antworten

    I was reading about using LDAP to store connection data instead of using the database for it. I created a GuacConfigGroup and it’s guacConfigParameter is like this:
    domain=contoso.com
    hostname=${LDAP_POBOX}
    password={GUAC_PASSWORD}
    port=3389
    username=${GUAC_USERNAME}

    my guacamole.properties has this on the end of the file:
    ldap-user-attributes: PObox, info

    The PObox attribute of the user is the IP address of the server I’m trying to connect, when I change the hostname attribute of the guacConfigGroup to the IP or a DNS It connects normally, but when I try to use the AD attribute it doesn’t connect and I get this on the guacd syslog:
    guacd[31714]: RDP server closed/refused connection: DNS lookup failed (incorrect hostname?)

    does anyone know how to see if the guacd is even using the correct LDAP parameter?

Schreibe einen Kommentar

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.