Re: No connections for header authenticated user
On Sat, Oct 13, 2018 at 11:46 AM, Adi Linden wrote: > I posted build instructions and configuration files to gist > https://gist.github.com/adilinden/41c0c5c4aaca301260e5980dc4e0ef1e > > guac_build.md: https://gist.github.com/adili > nden/41c0c5c4aaca301260e5980dc4e0ef1e#file-guac_build-md Regarding the above: "/var/lib/tomcat8/.guacamole symlink to /etc/guacamole GUACAMOLE_HOME" 1) If you're using /etc/guacamole (which you should), you do not need to create symbolic links to guide Guacamole there. It will look there by default. 2) The symbolic link you're creating will have no effect. "/var/lib/tomcat8" is not the home directory of the user running Tomcat on Ubuntu. See: http://guacamole.apache.org/doc/gug/configuring- guacamole.html#overriding-guacamole-home The location actually being used by Guacamole will be logged to the Tomcat logs on startup. "Make sure the last command shows Oracle Java 8 as default, as Guacamole 0.9.14 didn't build for me using the OpenJDK versions." OpenJDK should work just fine. If that is not the case, opening a detailed bug report would be appreciated. "user-mapping: /etc/guacamole/user-mapping.xml" There is no "user-mapping" property, so this will have no effect. The property you're thinking of ("basic-user-mapping") was deprecated in 0.9.10-incubating. In releases since 0.9.10-incubating, using "basic-user-mapping" would have resulted in a warning in the logs. This will not be the case in future releases as it has been finally removed entirely for the 1.0.0 release: https://issues.apache.org/jira/browse/GUACAMOLE-494 "Replace the contents of /etc/guacamole/user-mapping.xml with " You can simply delete "user-mapping.xml" if you will not be using it. - Mike
Re: No connections for header authenticated user
Hi Mike, That is very interesting. Without any connections defined for the user, the user has access to create connections when directly connected and authenticated to the SQL database. However, the same user “authenticated” via header cannot access the connections tab nor create connections. Once connections are defined for the user, the user sees the connections tab in settings and can access existing and create new connections no matter whether authenticated directly or whether accessing via proxy and headers. Any connections defined in user-mappings.xml are seen when connected direct (authenticated against SQL) but ignored when accessing via proxy and headers. Thank you very much for clarifying that! It is working great now! Adi
Re: No connections for header authenticated user
On Sat, Oct 13, 2018, 10:30 Adi Linden wrote: > ... > > Mysql works fine when directly connecting to guacamole, without proxy or > header authentication. DB settings defined in guacamole.properties and user > in mysql match. Do I need to do something else for header authentication to > allow looking up information in the profile? > You need to grant access to the connections using the admin interface. This isn't something specific to the header authentication, but necessary in general for any non-admin user to see/use connections: http://guacamole.apache.org/doc/gug/administration.html#user-management As long as the user has access to connections, all that matters is that the username in the header matches the username of a user in MySQL. When the user is authenticated via the header (or any other auth implementation present), the MySQL auth will trust that result and return the data available to that user. This is the generic mechanism which allows things like LDAP and MySQL to be combined: http://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database user-mapping.xml will not do this, but the MySQL auth will. - Mike
Re: No connections for header authenticated user
Hi Mike, I will post my (sanitized) build instructions and configs to Gist or something like that. That should hopefully make it easier to look at. First I built plain vanilla with user-mapping.xml. It works great. Then I added mysql and it works great as well, both with user-mapping.xml and without. Then I tried header authentication with user-mapping.xml, with mysql only (blank user-mapping.xml) and both. The result is the same. When I connect to guacamole direct the login page shows and I can authenticate and see everything that has been configured under the user profile. When I connect via the nginx proxy there is no login box (as expected) but none of the user profile information shows. It’s a “blank” page, no defined connections (neither user-mapping.xm nor mysql) and just the basic settings menu. I tried with REMOTE_USER header and a custom header. Result is the same. The particulars: Ubuntu 18.04 Guacamole 0.9.14 Guacamole-server and guacamole-client built from git, checked out the 0.9.14 tag * Is permission to access specific connections granted to the user in MySQL having the same username as the user authenticating with a header? Mysql works fine when directly connecting to guacamole, without proxy or header authentication. DB settings defined in guacamole.properties and user in mysql match. Do I need to do something else for header authentication to allow looking up information in the profile? Thanks, Adi
Re: No connections for header authenticated user
The built-in user-mapping.xml auth will not trust the header auth result, however the MySQL auth will and should work as you expect. What version of Guacamole? Is permission to access specific connections granted to the user in MySQL having the same username as the user authenticating with a header? - Mike On Fri, Oct 12, 2018, 23:33 Adi Linden wrote: > Hi, > > > > I placed guacamole behind a nginx reverse proxy. The nginx proxy performs > basic authentication. I enabled the “guacamole-auth-header.jar” extension > per instructions. My “user-mapping.xml” contains users with connections. I > installed mysql and it also has users with connections. > > > > When I connect direct to guacamole, no nginx reverse proxy, everything > works well. However, when I connect via the proxy I am greeted with a basic > screen and basic settings. None of the setting in “user-mapping.xml” or > mysql DB are assigned to the user authenticated via the proxy. The username > shown in the top left is correct. > > > > The only clue I’ve come across is this 404 error in the log: > > > > Connected via proxy: > > > > 192.168.110.55 - - [13/Oct/2018:01:01:10 -0500] "GET > /guacamole/api/session/data/header/users/adilinden?token=1F4F63E8FA4112E171B12798BD0515AA5C14508A9395CC4BA9DABDF59DDF42DA > HTTP/1.1" 404 254 > > > > Connected direct: > > > > 192.168.110.100 - - [13/Oct/2018:01:03:00 -0500] "GET > /guacamole/api/session/data/mysql/users/adilinden?token=295CCD313B29BB9A8856752626949691B77D2453FAF3426129DA79B7C01F5307 > HTTP/1.1" 200 201 > > > > Thanks, > Adi >