subject:"Re\: No connections for header authenticated user"

Re: No connections for header authenticated user

2018-10-15 Thread Mike Jumper

On Sat, Oct 13, 2018 at 11:46 AM, Adi Linden  wrote:

> I posted build instructions and configuration files to gist
> https://gist.github.com/adilinden/41c0c5c4aaca301260e5980dc4e0ef1e
>
> guac_build.md:   https://gist.github.com/adili
> nden/41c0c5c4aaca301260e5980dc4e0ef1e#file-guac_build-md

Regarding the above:

"/var/lib/tomcat8/.guacamole symlink to /etc/guacamole GUACAMOLE_HOME"

1) If you're using /etc/guacamole (which you should), you do not need to
create symbolic links to guide Guacamole there. It will look there by
default.
2) The symbolic link you're creating will have no effect.
"/var/lib/tomcat8" is not the home directory of the user running Tomcat on
Ubuntu.

See: http://guacamole.apache.org/doc/gug/configuring-
guacamole.html#overriding-guacamole-home

The location actually being used by Guacamole will be logged to the Tomcat
logs on startup.

"Make sure the last command shows Oracle Java 8 as default, as Guacamole
0.9.14 didn't build for me using the OpenJDK versions."

OpenJDK should work just fine. If that is not the case, opening a detailed
bug report would be appreciated.

"user-mapping: /etc/guacamole/user-mapping.xml"

There is no "user-mapping" property, so this will have no effect. The
property you're thinking of ("basic-user-mapping") was deprecated in
0.9.10-incubating. In releases since 0.9.10-incubating, using
"basic-user-mapping" would have resulted in a warning in the logs. This
will not be the case in future releases as it has been finally removed
entirely for the 1.0.0 release:

https://issues.apache.org/jira/browse/GUACAMOLE-494

"Replace the contents of /etc/guacamole/user-mapping.xml with

"

You can simply delete "user-mapping.xml" if you will not be using it.

- Mike

Re: No connections for header authenticated user

2018-10-13 Thread Adi Linden

Hi Mike,

That is very interesting.

Without any connections defined for the user, the user has access to create 
connections when directly connected and authenticated to the SQL database. 
However, the same user “authenticated” via header cannot access the connections 
tab nor create connections.

Once connections are defined for the user, the user sees the connections tab in 
settings and can access existing and create new connections no matter whether 
authenticated directly or whether accessing via proxy and headers.

Any connections defined in user-mappings.xml are seen when connected direct 
(authenticated against SQL) but ignored when accessing via proxy and headers.

Thank you very much for clarifying that! It is working great now!
Adi

Re: No connections for header authenticated user

2018-10-13 Thread Mike Jumper

On Sat, Oct 13, 2018, 10:30 Adi Linden  wrote:

> ...
>
> Mysql works fine when directly connecting to guacamole, without proxy or
> header authentication. DB settings defined in guacamole.properties and user
> in mysql match. Do I need to do something else for header authentication to
> allow looking up information in the profile?
>

You need to grant access to the connections using the admin interface. This
isn't something specific to the header authentication, but necessary in
general for any non-admin user to see/use connections:

http://guacamole.apache.org/doc/gug/administration.html#user-management

As long as the user has access to connections, all that matters is that the
username in the header matches the username of a user in MySQL. When the
user is authenticated via the header (or any other auth implementation
present), the MySQL auth will trust that result and return the data
available to that user.

This is the generic mechanism which allows things like LDAP and MySQL to be
combined:

http://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database

user-mapping.xml will not do this, but the MySQL auth will.

- Mike

Re: No connections for header authenticated user

2018-10-13 Thread Adi Linden

Hi Mike,

I will post my (sanitized) build instructions and configs to Gist or something 
like that. That should hopefully make it easier to look at.

First I built plain vanilla with user-mapping.xml. It works great. Then I added 
mysql and it works great as well, both with user-mapping.xml and without. Then 
I tried header authentication with user-mapping.xml, with mysql only (blank 
user-mapping.xml) and both. The result is the same. When I connect to guacamole 
direct the login page shows and I can authenticate and see everything that has 
been configured under the user profile. When I connect via the nginx proxy 
there is no login box (as expected) but none of the user profile information 
shows. It’s a “blank” page, no defined connections (neither user-mapping.xm nor 
mysql) and just the basic settings menu. I tried with REMOTE_USER header and a 
custom header. Result is the same.

The particulars:

Ubuntu 18.04
Guacamole 0.9.14
Guacamole-server and guacamole-client built from git, checked out the 0.9.14 tag


  *   Is permission to access specific connections granted to the user in MySQL 
having the same username as the user authenticating with a header?

Mysql works fine when directly connecting to guacamole, without proxy or header 
authentication. DB settings defined in guacamole.properties and user in mysql 
match. Do I need to do something else for header authentication to allow 
looking up information in the profile?

Thanks,
Adi

Re: No connections for header authenticated user

2018-10-13 Thread Mike Jumper

The built-in user-mapping.xml auth will not trust the header auth result,
however the MySQL auth will and should work as you expect.

What version of Guacamole?

Is permission to access specific connections granted to the user in MySQL
having the same username as the user authenticating with a header?

- Mike

On Fri, Oct 12, 2018, 23:33 Adi Linden  wrote:

> Hi,
>
>
>
> I placed guacamole behind a nginx reverse proxy. The nginx proxy performs
> basic authentication. I enabled the “guacamole-auth-header.jar” extension
> per instructions. My “user-mapping.xml” contains users with connections. I
> installed mysql and it also has users with connections.
>
>
>
> When I connect direct to guacamole, no nginx reverse proxy, everything
> works well. However, when I connect via the proxy I am greeted with a basic
> screen and basic settings. None of the setting in “user-mapping.xml” or
> mysql DB are assigned to the user authenticated via the proxy. The username
> shown in the top left is correct.
>
>
>
> The only clue I’ve come across is this 404 error in the log:
>
>
>
> Connected via proxy:
>
>
>
> 192.168.110.55 - - [13/Oct/2018:01:01:10 -0500] "GET
> /guacamole/api/session/data/header/users/adilinden?token=1F4F63E8FA4112E171B12798BD0515AA5C14508A9395CC4BA9DABDF59DDF42DA
> HTTP/1.1" 404 254
>
>
>
> Connected direct:
>
>
>
> 192.168.110.100 - - [13/Oct/2018:01:03:00 -0500] "GET
> /guacamole/api/session/data/mysql/users/adilinden?token=295CCD313B29BB9A8856752626949691B77D2453FAF3426129DA79B7C01F5307
> HTTP/1.1" 200 201
>
>
>
> Thanks,
> Adi
>

Re: No connections for header authenticated user

Re: No connections for header authenticated user

Re: No connections for header authenticated user

Re: No connections for header authenticated user

Re: No connections for header authenticated user

5 matches

Site Navigation

Mail list logo

Footer information