Guacamole - Anmeldefehler / Auth-Error on member server

lebernd · March 21, 2019, 11:44am

Well, I posted this already in another thread, but with mixed topics/ problems I guess.
The app was first installed on a slave-role server (a different problem occured) and is now on a member-role server (where it shortly worked but stopped to do after some hours).

Trying to login will give me on the website: Anmeldungsfehler

In the logs I can find entries like:

root@ucs-member:~# docker logs -ft --details container_id_guacamole
...
2019-03-15T10:39:27.523623173Z  11:39:27.522 [http-nio-8080-exec-3] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
2019-03-15T10:39:27.527344882Z  11:39:27.522 [http-nio-8080-exec-3] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-12345678,cn=memberserver,cn=computers,dc=domain,dc=com"
2019-03-15T10:39:27.536566763Z  11:39:27.536 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.x.y, 172.z.0.1] for user "myuser" failed.

I have checked the password files, they seem to be ok. What else to check?

Thanks,
Bernd

lebernd · March 22, 2019, 10:48am

As I’m trying to get some more information on the errors. My guess now is, that it has rather nothing to do with the ldap-settings but perhaps more with the networking of the docker container.
To my knowledge there is no working nameserver inside the docker-app so the only names that can be resolved are the entries in /etc/hosts.
I don’t know how relevant that is, it certainly makes it difficult to install any kind of debugging software inside the container as the sources inside /etc/apt/sources.list would require some name resolution.
But even with a proper name resolution, the docker network seems to be restricted to only reach the host. Some ping-commands:

root@abcde:/usr/local/tomcat# ping localhost           
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.047 ms
...
root@abc4de:/usr/local/tomcat# ping 192.168.ucs.member
PING 192.168.ucs.member (192.168.ucs.member): 56 data bytes
64 bytes from 192.168.ucs.member: icmp_seq=0 ttl=64 time=0.088 ms
...
root@abcde:/usr/local/tomcat# ping 192.168.ucs.ldap-master
PING 192.168.ucs.ldap-master (192.168.ucs.ldap-master): 56 data bytes
^C--- 192.168.15.ucs.ldap-master ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

That would perhaps explain why I could login on a slave-server but not on a member-server (while it is not explaining why it ran for some time and is working on other systems?). A ping to something like 8.8.8.8 isn’t working either. How can I fix this?
Some more information: The guacamole-app is on “another” ip-range than the other univention-docker-apps. Where the other containers use 172.x.0.0/16 - the guacamole app is on 172.x+1.0.0/16. On the host (member-server) I can see a new bridge for this network.
Any suggestions on how to proceed are wellcome.

Bernd

lebernd · March 28, 2019, 10:25pm

One ‘solution’ or more workaround is provided here: Guacamole Problem