I was able to get a consistent LDAP login with NS being the primary AD provider as decribed in the doc. For giggles, I wanted to see if I could enable TOTP via guacamole-auth-totp-1.1.0.tar.gz and so far it works with the internal SQL guacadmin account but not with the AD/LDAP binding accounts. I’ll have to dig more into this to see if I am unsing the TOTP module correctly.
I found that it does not work with the LDAP extension as it needs an extension being able to save data.
Another extension must be installed which supports storage of arbitrary data from other extensions. Currently the only extensions provided with Guacamole which support this kind of storage are the database authentication extensions.
I’ve read up on another similar setup using DUO as the tfa app. I am going to see if this is an easy integration with the current setup and if so I’ll be happy.
It’s not that the TOTP auth doesn’t work at all but you need to add the users (group didn’t work) to database, by clicking on the ones you like to use TOTP and set “change own password” for that user.
I am afraid the duo extenstion works the same way. From the docs:
Guacamole supports Duo as a second authentication factor
Last way I see is using LDAP instead of mariadb for saving guacamole information but I initially wanted to avoid it. It seems OpenLDAP is supported and for AD I found a PDF.
What gets the Zentyal AD portion busted is that the installer auto-populates ldapservice as NethServer uses for it’s BIND DN rather than what may actually be populated in that field (see picture)
Proposed solutions
The one I think is correct - have installer read or input the correct BIND DN settings from NethServer Account Provider into guacamole.properties rather than a the hard-coded ldapservice account.
The one I did - created a new user ldapservice via LDAP Admin on my Zentyal AD/SAMBA domain. After, I was able to log into the Guacamole page with my LDAP users/groups.
Did this change anything else for proxy settings? I ask now because I can no longer get NS to Reverse Proxy like I could above. With the recent guide for instance I had a goal of getting remote.example.com from https://demo.example.com/guacamole using the Reverse Proxy and a valid LE cert but the page no longer loads.
/etc/httpd/conf.d/guacamole.conf was moved to /etc/httpd/conf.d/zz_guacamole.conf
If the virtualhost feature is not enabled there should be no change in zz_guacamole.conf.
EDIT:
Found a difference.
Please try to delete the SSLEngine on line in /etc/httpd/conf.d/zz_guacamole.conf and reload httpd.
No problem, i will just remove it then re-install it. no biggies, if i also knew what i did, we could have made it easier to identify how the error came to be, and how to write about it for anyone who get a similar error in future.