Re: Using LDAP to authenticate to balancing group
Hi Nick—I have a follow-up question if you're able to point me in the right
direction. Java is not my forte at all, but I'm having a _little_ success
replacing the LDAP extension with something based on the auth extension
tutorial. I can get the supplied credentials and test those against our
proprietary back end, but I can't figure out how to create a
GuacamoleConfiguration which returns just the user group, as the LDAP
service did in the end following your advice before. I was assuming it
would be something like `config.setParameter("group", "test");` but I can't
find anywhere what the expected parameter names are. Is that documented?
What I'm seeing right now is a successful authentication and then the
client displaying "An internal error occurred" with options to reconnect or
log out, and this below in the logs. I presume because it's a badly formed
configuration that I'm returning...
guacamole_compose | 11:46:05.032 [http-nio-8080-exec-8] DEBUG
o.a.g.net.InetGuacamoleSocket - Connecting to guacd at guacd:4822.
guacamole_compose | 28-May-2024 11:46:05.035 SEVERE
[http-nio-8080-exec-8]
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Error reading
request, ignored
guacamole_compose | java.lang.NullPointerException
guacamole_compose | at
org.apache.guacamole.protocol.GuacamoleInstruction.appendElement(GuacamoleInstruction.java:107)
guacamole_compose | at
org.apache.guacamole.protocol.GuacamoleInstruction.toString(GuacamoleInstruction.java:135)
guacamole_compose | at
org.apache.guacamole.io.WriterGuacamoleWriter.writeInstruction(WriterGuacamoleWriter.java:78)
guacamole_compose | at
org.apache.guacamole.protocol.ConfiguredGuacamoleSocket.(ConfiguredGuacamoleSocket.java:220)
guacamole_compose | at
org.apache.guacamole.net.auth.simple.SimpleConnection.connect(SimpleConnection.java:231)
guacamole_compose | at
org.apache.guacamole.net.auth.simple.SimpleConnection.connect(SimpleConnection.java:273)
guacamole_compose | at
org.apache.guacamole.tunnel.TunnelRequestService.createConnectedTunnel(TunnelRequestService.java:216)
guacamole_compose | at
org.apache.guacamole.tunnel.TunnelRequestService.createTunnel(TunnelRequestService.java:352)
guacamole_compose | at
org.apache.guacamole.tunnel.websocket.RestrictedGuacamoleWebSocketTunnelEndpoint.createTunnel(RestrictedGuacamoleWebSocketTunnelEndpoint.java:113)
guacamole_compose | at
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onOpen(GuacamoleWebSocketTunnelEndpoint.java:200)
guacamole_compose | at
org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.init(WsHttpUpgradeHandler.java:131)
guacamole_compose | at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:976)
guacamole_compose | at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1698)
guacamole_compose | at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
guacamole_compose | at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
guacamole_compose | at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
guacamole_compose | at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
guacamole_compose | at
java.lang.Thread.run(Thread.java:750)
guacamole_compose | 11:46:05.080 [http-nio-8080-exec-6] DEBUG
o.a.g.net.InetGuacamoleSocket - Connecting to guacd at guacd:4822.
Many thanks,
David
On Sat, 25 May 2024 at 01:33, Nick Couchman wrote:
> On Thu, May 23, 2024 at 6:32 AM David Lomas
> wrote:
>
>> Thanks Nick—I got this working using your second method by not sending a
>> 'guacConfigParameter' object at all, but just returning the group name as
>> the cn. I also had to add LDAP_GROUP_BASE_DN into the guacamole
>> configuration. I do still see a warning in the logs about a missing
>> required attribute:
>>
>> 09:55:37.571 [http-nio-8080-exec-3] WARN o.a.g.a.l.c.ConnectionService -
>> guacConfigGroup "test" is missing the required "guacConfigProtocol"
>> attribute.
>>
>> But that doesn't seem to stop the authentication working.
>>
>>
> Thanks for posting back, David - glad it is working for you. Yes, the
> guacConfigParameter LDAP attribute is not required at all for the
> configuration you're running.
>
> -Nick
>
>>
Re: Using LDAP to authenticate to balancing group
On Thu, May 23, 2024 at 6:32 AM David Lomas wrote: > Thanks Nick—I got this working using your second method by not sending a > 'guacConfigParameter' object at all, but just returning the group name as > the cn. I also had to add LDAP_GROUP_BASE_DN into the guacamole > configuration. I do still see a warning in the logs about a missing > required attribute: > > 09:55:37.571 [http-nio-8080-exec-3] WARN o.a.g.a.l.c.ConnectionService - > guacConfigGroup "test" is missing the required "guacConfigProtocol" > attribute. > > But that doesn't seem to stop the authentication working. > > Thanks for posting back, David - glad it is working for you. Yes, the guacConfigParameter LDAP attribute is not required at all for the configuration you're running. -Nick >
Re: Using LDAP to authenticate to balancing group
Thanks Nick—I got this working using your second method by not sending a 'guacConfigParameter' object at all, but just returning the group name as the cn. I also had to add LDAP_GROUP_BASE_DN into the guacamole configuration. I do still see a warning in the logs about a missing required attribute: 09:55:37.571 [http-nio-8080-exec-3] WARN o.a.g.a.l.c.ConnectionService - guacConfigGroup "test" is missing the required "guacConfigProtocol" attribute. But that doesn't seem to stop the authentication working. On Fri, 17 May 2024 at 02:33, Nick Couchman wrote: > On Wed, May 15, 2024 at 6:20 AM David Lomas > wrote: > >> Hi, >> >> I've set up a balancing group in Guacamole which contains 3 test >> connections to individual machines. If I create test users in the web >> interface and assign them to the group (but _not_ to individual >> connections), I can see the balancing working—when each user logs in, they >> are assigned to an available connection. >> >> > If you're setting up a balancing group, then this means that you're using > the JDBC (DB) extension for storing connections, correct? > > >> But how can I 'target' a user who is authenticated via LDAP to this >> connection group? The documentation shows how to return a connection to a >> specific machine as part of the guacConfigParameter object (hostname: xyz, >> etc.) but I couldn't find anything about returning a connection group >> there. Is this possible? Is there some documentation I've missed? >> >> > There are two ways to do this: > * You can create a user account in the database that has the same user > name (generally case-sensitive) as the LDAP user, and assign permission for > a connection or connection group to the user. Note that this can also be > largely automated by enabling the auto account-creation capability. See: > https://guacamole.apache.org/doc/gug/ldap-auth.html#associating-ldap-with-a-database > , > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users > * Instead of doing this based on username, you can do this with user > groups - if you enable group searching in LDAP, you can assign the > permissions to the groups, and, as long as the groups in the database have > the same name as the LDAP groups, Guacamole will associate those > permissions. > > -Nick >
Re: Using LDAP to authenticate to balancing group
On Wed, May 15, 2024 at 6:20 AM David Lomas wrote: > Hi, > > I've set up a balancing group in Guacamole which contains 3 test > connections to individual machines. If I create test users in the web > interface and assign them to the group (but _not_ to individual > connections), I can see the balancing working—when each user logs in, they > are assigned to an available connection. > > If you're setting up a balancing group, then this means that you're using the JDBC (DB) extension for storing connections, correct? > But how can I 'target' a user who is authenticated via LDAP to this > connection group? The documentation shows how to return a connection to a > specific machine as part of the guacConfigParameter object (hostname: xyz, > etc.) but I couldn't find anything about returning a connection group > there. Is this possible? Is there some documentation I've missed? > > There are two ways to do this: * You can create a user account in the database that has the same user name (generally case-sensitive) as the LDAP user, and assign permission for a connection or connection group to the user. Note that this can also be largely automated by enabling the auto account-creation capability. See: https://guacamole.apache.org/doc/gug/ldap-auth.html#associating-ldap-with-a-database , https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users * Instead of doing this based on username, you can do this with user groups - if you enable group searching in LDAP, you can assign the permissions to the groups, and, as long as the groups in the database have the same name as the LDAP groups, Guacamole will associate those permissions. -Nick
Using LDAP to authenticate to balancing group
Hi, I've set up a balancing group in Guacamole which contains 3 test connections to individual machines. If I create test users in the web interface and assign them to the group (but _not_ to individual connections), I can see the balancing working—when each user logs in, they are assigned to an available connection. But how can I 'target' a user who is authenticated via LDAP to this connection group? The documentation shows how to return a connection to a specific machine as part of the guacConfigParameter object (hostname: xyz, etc.) but I couldn't find anything about returning a connection group there. Is this possible? Is there some documentation I've missed? Thanks!
