Guacamole - Anmeldefehler / Auth-Error on member server

Well, I posted this already in another thread, but with mixed topics/ problems I guess.
The app was first installed on a slave-role server (a different problem occured) and is now on a member-role server (where it shortly worked but stopped to do after some hours).

Trying to login will give me on the website: Anmeldungsfehler

In the logs I can find entries like:

root@ucs-member:~# docker logs -ft --details container_id_guacamole
...
2019-03-15T10:39:27.523623173Z  11:39:27.522 [http-nio-8080-exec-3] ERROR o.a.g.a.ldap.LDAPConnectionService - Unable to connect to LDAP server: Connect Error
2019-03-15T10:39:27.527344882Z  11:39:27.522 [http-nio-8080-exec-3] ERROR o.a.g.a.l.AuthenticationProviderService - Unable to bind using search DN "cn=guaca-12345678,cn=memberserver,cn=computers,dc=domain,dc=com"
2019-03-15T10:39:27.536566763Z  11:39:27.536 [http-nio-8080-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from [192.168.x.y, 172.z.0.1] for user "myuser" failed.

I have checked the password files, they seem to be ok. What else to check?

Thanks,
Bernd

As I’m trying to get some more information on the errors. My guess now is, that it has rather nothing to do with the ldap-settings but perhaps more with the networking of the docker container.
To my knowledge there is no working nameserver inside the docker-app so the only names that can be resolved are the entries in /etc/hosts.
I don’t know how relevant that is, it certainly makes it difficult to install any kind of debugging software inside the container as the sources inside /etc/apt/sources.list would require some name resolution.
But even with a proper name resolution, the docker network seems to be restricted to only reach the host. Some ping-commands:

root@abcde:/usr/local/tomcat# ping localhost           
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.047 ms
...
root@abc4de:/usr/local/tomcat# ping 192.168.ucs.member
PING 192.168.ucs.member (192.168.ucs.member): 56 data bytes
64 bytes from 192.168.ucs.member: icmp_seq=0 ttl=64 time=0.088 ms
...
root@abcde:/usr/local/tomcat# ping 192.168.ucs.ldap-master
PING 192.168.ucs.ldap-master (192.168.ucs.ldap-master): 56 data bytes
^C--- 192.168.15.ucs.ldap-master ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

That would perhaps explain why I could login on a slave-server but not on a member-server (while it is not explaining why it ran for some time and is working on other systems?). A ping to something like 8.8.8.8 isn’t working either. How can I fix this?
Some more information: The guacamole-app is on “another” ip-range than the other univention-docker-apps. Where the other containers use 172.x.0.0/16 - the guacamole app is on 172.x+1.0.0/16. On the host (member-server) I can see a new bridge for this network.
Any suggestions on how to proceed are wellcome.

Bernd

One ‘solution’ or more workaround is provided here: Guacamole Problem

Mastodon