[
https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822602#comment-16822602
]
Nick Couchman commented on GUACAMOLE-715:
-----------------------------------------
And the debug I get at connection time:
{code}
21:19:48.879 [http-nio-8080-exec-38] ERROR
o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to
guacd failed: Permission denied.
21:19:48.879 [http-nio-8080-exec-38] DEBUG
o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket tunnel.
org.apache.guacamole.GuacamoleSecurityException: Permission denied.
at
org.apache.guacamole.auth.jdbc.connection.ConnectionService.connect(ConnectionService.java:522)
at
org.apache.guacamole.auth.jdbc.connection.ModeledConnection.connect(ModeledConnection.java:264)
at
org.apache.guacamole.net.auth.DelegatingConnection.connect(DelegatingConnection.java:153)
at
org.apache.guacamole.net.auth.DelegatingConnection.connect(DelegatingConnection.java:164)
at
org.apache.guacamole.net.auth.TokenInjectingConnection.connect(TokenInjectingConnection.java:65)
at
org.apache.guacamole.tunnel.TunnelRequestService.createConnectedTunnel(TunnelRequestService.java:224)
at
org.apache.guacamole.tunnel.TunnelRequestService.createTunnel(TunnelRequestService.java:399)
at
org.apache.guacamole.tunnel.websocket.RestrictedGuacamoleWebSocketTunnelEndpoint.createTunnel(RestrictedGuacamoleWebSocketTunnelEndpoint.java:113)
at
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onOpen(GuacamoleWebSocketTunnelEndpoint.java:200)
at
org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.init(WsHttpUpgradeHandler.java:133)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:852)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
{code}
> Permission management based on LDAP groups not working as documented
> --------------------------------------------------------------------
>
> Key: GUACAMOLE-715
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-715
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap
> Affects Versions: 1.0.0
> Environment: I'm running guacamole in a docker environment using the
> official base images and a MySQL database. Users are authenticated against an
> Active Directory server in combination with the MySQL database.
> Reporter: Micha Kohl
> Assignee: Nick Couchman
> Priority: Major
> Fix For: 1.1.0
>
>
> From the documentation on user groups in 1.0.0 I expected to be able to
> manage user permissions via LDAP groups like this (using LDAP for
> authentication and MySQL for configuration management as documented
> [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]):
> # Create user group in MySQL with the name of a corresponding user group in
> the LDAP directory
> # Create connection in MySQL
> # Grant connection permission to the user group created in 1.
> # LDAP users that are part of the LDAP group (in the directory) are able to
> log in with their LDAP credentials and access that connection
> This does not work at all (the user does not even see the connection). In my
> attempt to narrow down the problem and ensure that I'm not just doing it
> wrong, I tested the following scenarios:
> # _Having just the LDAP group be mirrored in MySQL by creating an_
> _identically named one there_
> -> Login succeeds, but no associated connections are shown.
> # _Having both the LDAP group and the user be mirrored in MySQL by creating_
> _identically named entities there without manually linking the two (MySQL
> user is not part of MySQL user group)_
> -> Login succeeds and guacamole tries to auto-connect to the only available
> connection/shows all available connections and fails when trying to connect
> with a permission error.
> # _Having both the LDAP group and the user be mirrored in MySQL by creating_
> _identically named entities there and manually adding the MySQL user to the_
> _MySQL group_ _(MySQL user is part of MySQL user group)_
> -> Connections are established successfully.
> Either there seems to be a big misunderstanding regarding the way the new
> group system is supposed to work with LDAP, or there's something going wrong
> here. It goes without saying that scenario 3 completely eliminates the
> purpose of relying on existing LDAP groups. Scenario 1 is the configuration I
> outlined above that would allow managing connections based on LDAP groups
> without having to create any MySQL users whatsoever. Scenario 2 in
> combination with similar reports on the mailing list led me to believe that
> this is either based on a common misconception or there's a bug.
> Side-Note: While it has been suggested that this is already covered by
> GUACAMOLE-696, I think this could only be said if this turns out to be
> expected but poorly documented behavior.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
