Guacamole 1.2.0

I am up and running now; trying to get SAMBA4/AD (NS BDC joined to Zentyal AD) users to log in now properly.

EDIT - Getting lip but I think I need to understand the BIND settings.

Apr 16 14:05:57 guac server: 14:05:57.547 [http-bio-8080-exec-8] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=ldapservice,cn=Users,DC=ad,DC=nethserver,DC=us"
Apr 16 14:05:57 guac server: 14:05:57.547 [http-bio-8080-exec-8] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [10.92.0.2, 127.0.0.1] for user "admin@ad.nethserver.us" failed.
1 Like

I was able to get a consistent LDAP login with NS being the primary AD provider as decribed in the doc. For giggles, I wanted to see if I could enable TOTP via guacamole-auth-totp-1.1.0.tar.gz and so far it works with the internal SQL guacadmin account but not with the AD/LDAP binding accounts. I’ll have to dig more into this to see if I am unsing the TOTP module correctly.

Apr 19 09:05:50 guac server: 09:05:50.167 [http-bio-8080-exec-10] INFO  o.a.g.r.auth.AuthenticationServvice - User "admin" successfully authenticated from [10.92.0.2, 10.0.99.1, 127.0.0.1].
Apr 19 09:05:50 guac server: 09:05:50.200 [http-bio-8080-exec-10] ERROR o.a.g.rest.RESTExceptionMapper  - Unexpected internal error:
Apr 19 09:05:50 guac server: ### Error updating database.  Cause: com.mysql.jdbc.exceptions.jdbc4.MySQLLIntegrityConstraintViolationException: Column 'user_id' cannot be null
Apr 19 09:05:50 guac server: ### The error may involve org.apache.guacamole.auth.jdbc.user.UserMapper.iinsertAttributes-Inline
Apr 19 09:05:50 guac server: ### The error occurred while setting parameters
Apr 19 09:05:50 guac server: ### SQL: INSERT INTO guacamole_user_attribute (             user_id,              attribute_name,             attribute_value         )         VALUES                                 (?,                  ?,                  ?)              ,                  (?,                 , ?,                  ?)
Apr 19 09:05:50 guac server: ### Cause: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolatiionException: Column 'user_id' cannot be null

2 Likes

@royceb how did you isntall it on its own vhost
?

I found that it does not work with the LDAP extension as it needs an extension being able to save data.

Another extension must be installed which supports storage of arbitrary data from other extensions. Currently the only extensions provided with Guacamole which support this kind of storage are the database authentication extensions.

https://guacamole.apache.org/doc/gug/totp-auth.html#totp-prerequisites

I think it’s not on a vhost. Do you want to be able to run it on a vhost? I could add a switch but I don’t know if we can go without /guacamole path.

I’ve read up on another similar setup using DUO as the tfa app. I am going to see if this is an easy integration with the current setup and if so I’ll be happy.

It’s not that the TOTP auth doesn’t work at all but you need to add the users (group didn’t work) to database, by clicking on the ones you like to use TOTP and set “change own password” for that user.

I am afraid the duo extenstion works the same way. From the docs:

Guacamole supports Duo as a second authentication factor

Last way I see is using LDAP instead of mariadb for saving guacamole information but I initially wanted to avoid it. It seems OpenLDAP is supported and for AD I found a PDF.

if we can have something like remote.server.tld but it adds /guacamole when a user visits, no problem with that

1 Like

In the example above I was using pfSense to handle my letsencrypt certificates renewal and reverse proxy because of how easy it is to implement.

If you wanted to do the same with a self contained NS install you need to do the following:

  1. Create an alias for your NS server/TLD (example guacdemo.yourdoamin.com)
  2. Create a LetsEncrypt Certificate for your TDL (NOTE you can request multiple alias such as remote/nextcloud/guacdemo during this step)
  3. Install Reverse Proxy from the Software Center
  4. Create Reverse Proxy rule as desired.

2 Likes

I’ve gotten this to work for Zentyal 6.1 AD/SAMBA authentication.

The installer will gather most of the correct values for the LDAP connection in /etc/guacamole/guacamole.properties but I run into problems here:

ldap-search-bind-dn: cn=ldapservice,cn=Users,DC=ad,DC=example,DC=com

What gets the Zentyal AD portion busted is that the installer auto-populates ldapservice as NethServer uses for it’s BIND DN rather than what may actually be populated in that field (see picture)

Proposed solutions
The one I think is correct - have installer read or input the correct BIND DN settings from NethServer Account Provider into guacamole.properties rather than a the hard-coded ldapservice account.

The one I did - created a new user ldapservice via LDAP Admin on my Zentyal AD/SAMBA domain. After, I was able to log into the Guacamole page with my LDAP users/groups.

3 Likes

Thanks, I fixed it to use the right name but I had to hardcode the “cn=user” part to make it work.

yum reinstall https://mrmarkuz.dynu.net/mirror/devtest/nethserver-guacamole-0.0.1-1.ns7.noarch.rpm

1 Like

How can i completely unisntall to install it afresh @mrmarkuz

To uninstall you need to remove the mysql database (drop database guacamole;) and the package.

You may use yum autoremove nethserver-guacamole carefully to remove dependencies too.

which other dependencies are implemented?

Guacamole for example needs guacd and tomcat as server components and modules for different connection protocols etc.

You can check it with

yum deplist nethserver-guacamole

or

rpm -qR nethserver-guacamole

EDIT:

Virtualhost added. It’s enough to reinstall the module with yum reinstall, no need for complete uninstall.

Did this change anything else for proxy settings? I ask now because I can no longer get NS to Reverse Proxy like I could above. With the recent guide for instance I had a goal of getting remote.example.com from https://demo.example.com/guacamole using the Reverse Proxy and a valid LE cert but the page no longer loads.

[root@demo ~]# echo ‘{“action”:“edit”,“proxypass”:{“name”:“remote.nethserver.us”,“Description”:“”,“Target”:“https://demo.nethserver.us/guacamole",“HTTP”:“no”,“HTTPS”:“yes”,“PreserveHost”:“yes”,“SslCertificate”:“”,“ValidFrom”:[“”],“CertVerification”:“no”,“type”:"VhostReverse”}}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-httpd/proxypass/update | jq
{
“steps”: 2,
“pid”: 47689,
“args”: “”,
“event”: “nethserver-httpd-save”
}
{
“step”: 1,
“pid”: 47689,
“action”: “S05generic_template_expand”,
“event”: “nethserver-httpd-save”,
“state”: “running”
}
{
“progress”: “0.50”,
“time”: “0.334905”,
“exit”: 0,
“event”: “nethserver-httpd-save”,
“state”: “done”,
“step”: 1,
“pid”: 47689,
“action”: “S05generic_template_expand”
}
{
“step”: 2,
“pid”: 47689,
“action”: “S90adjust-services”,
“event”: “nethserver-httpd-save”,
“state”: “running”
}
{
“progress”: “1.00”,
“time”: “0.291756”,
“exit”: 256,
“event”: “nethserver-httpd-save”,
“state”: “done”,
“step”: 2,
“pid”: 47689,
“action”: “S90adjust-services”
}
{
“pid”: 47689,
“status”: “failed”,
“event”: “nethserver-httpd-save”
}
{
“type”: “Error”,
“message”: “proxy.api_update_failed”
}
[root@demo ~]# ^C
[root@demo ~]#

/etc/httpd/conf.d/guacamole.conf was moved to /etc/httpd/conf.d/zz_guacamole.conf
If the virtualhost feature is not enabled there should be no change in zz_guacamole.conf.

EDIT:

Found a difference.

Please try to delete the SSLEngine on line in /etc/httpd/conf.d/zz_guacamole.conf and reload httpd.

You can see my changes in the commits on github:

So with this implementation, guacamole is reachable via which url using virtualhost. or is it to be defined during installation?

Also, my case was also with the missing language files, that made my interface look horried.

I updated the wiki entry, the vhost is without path and needs to be setup after install:

https://wiki.nethserver.org/doku.php?id=guacamole#virtual_host

Still couldn’t reproduce this.

No problem, i will just remove it then re-install it. no biggies, if i also knew what i did, we could have made it easier to identify how the error came to be, and how to write about it for anyone who get a similar error in future.

1 Like

Language issue was resolved.

Now, ho do i assigned a ldap user to a specific conenction