Docker + LDAP (Active Directory)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Docker + LDAP (Active Directory)

lfzamora
Deploying latest docker images (as of 07/13/2017) of guacamole, guacd, and postgres with LDAP enabled in an Active Directory environment but getting "Invalid Login" at login page and logs throwing the following:

04:06:02.351 [http-nio-8080-exec-10] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bi
nd using search DN "CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com"
04:06:02.352 [http-nio-8080-exec-10] WARN  o.a.g.r.auth.AuthenticationService - Authentication at
tempt from 192.168.1.223 for user "tuser" failed.

Yep, those users exist and that is the correct DN double and triple checked in ADUAC. Ditto for passwords. Don't think it's anything to do with DB as I can login successfully with default 'guacadmin' account. But any attempt to login with a valid (in any other context) AD/LDAP user fails with the aforementioned errors.

Not a port a network issue as the docker box can nc to 389. Tried IP instead of FQDN as well, no diff.

It shouldn't be necessary but I also made the LDAP_SEARCH_BIND_DN account a domain admin. Should be able to search ldap tree as regular domain user but tried it anyway.

Here is the full docker run command being used:

sudo docker run --name guacamole --link guacd:guacd \
--link postgres:postgres \
-e POSTGRES_DATABASE=guacamole_db \
-e POSTGRES_USER=guacamole_user \
-e POSTGRES_PASSWORD=*** \
-e LDAP_USER_BASE_DN=OU=Guacamole,DC=corp,DC=contoso,DC=com \
-e LDAP_SEARCH_BIND_DN=CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com \
-e LDAP_SEARCH_BIND_PASSWORD=*** \
-e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \
-e LDAP_HOSTNAME=dc-1.corp.contoso.com \
-e LDAP_PORT=389 \
-e LDAP_ENCRYPTION_METHOD=none -d -p 8080:8080 guacamole/guacamole

Any ideas? Maybe somewhere to get more detailed error feedback?

Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Docker + LDAP (Active Directory)

Mike Jumper
Are there any characters in the value for LDAP_SEARCH_BIND_PASSWORD
which might be being interpreted by your shell, and thus might not
make it into the environment variables of the Docker container as
expected?

- Mike


On Thu, Jul 13, 2017 at 9:19 PM, lfzamora <[hidden email]> wrote:

> Deploying latest docker images (as of 07/13/2017) of guacamole, guacd, and
> postgres with LDAP enabled in an Active Directory environment but getting
> "Invalid Login" at login page and logs throwing the following:
>
> 04:06:02.351 [http-nio-8080-exec-10] ERROR
> o.a.g.a.l.AuthenticationProviderService - Unable to bi
> nd using search DN "CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com"
> 04:06:02.352 [http-nio-8080-exec-10] WARN
> o.a.g.r.auth.AuthenticationService - Authentication at
> tempt from 192.168.1.223 for user "tuser" failed.
>
> Yep, those users exist and that is the correct DN double and triple checked
> in ADUAC. Ditto for passwords. Don't think it's anything to do with DB as I
> can login successfully with default 'guacadmin' account. But any attempt to
> login with a valid (in any other context) AD/LDAP user fails with the
> aforementioned errors.
>
> Not a port a network issue as the docker box can nc to 389. Tried IP instead
> of FQDN as well, no diff.
>
> It shouldn't be necessary but I also made the LDAP_SEARCH_BIND_DN account a
> domain admin. Should be able to search ldap tree as regular domain user but
> tried it anyway.
>
> Here is the full docker run command being used:
>
> sudo docker run --name guacamole --link guacd:guacd \
> --link postgres:postgres \
> -e POSTGRES_DATABASE=guacamole_db \
> -e POSTGRES_USER=guacamole_user \
> -e POSTGRES_PASSWORD=*** \
> -e LDAP_USER_BASE_DN=OU=Guacamole,DC=corp,DC=contoso,DC=com \
> -e
> LDAP_SEARCH_BIND_DN=CN=svc_Guacamole,OU=Guacamole,DC=corp,DC=contoso,DC=com
> \
> -e LDAP_SEARCH_BIND_PASSWORD=*** \
> -e LDAP_USERNAME_ATTRIBUTE=sAMAccountName \
> -e LDAP_HOSTNAME=dc-1.corp.contoso.com \
> -e LDAP_PORT=389 \
> -e LDAP_ENCRYPTION_METHOD=none -d -p 8080:8080 guacamole/guacamole
>
> Any ideas? Maybe somewhere to get more detailed error feedback?
>
> Thanks
>
>
>
> --
> View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Docker-LDAP-Active-Directory-tp1296.html
> Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Docker + LDAP (Active Directory)

lfzamora
Yeah I fiddled with that too. At this point it's just plain alpha numeric.

When I get home I'm going to throw up wireshark on the DC and see if I can dial in on the exact LDAP response. Nothing in Windows Event Logs which is strange--could be looking in the wrong place though but no "failed login" type alerts.
Loading...