Re: LDAP_USER_BASE_DN pointing to an AD Security Group

[Mariano Di Girolamo]

The user used in bind is member of administrator. 
I installed the new version of guacamole (0.9.13) but I have the same problem. 
If I configure the base-dn like "DC=test,DC=local" I have this error on 
catalina.out 

ERROR o.a.g.a.l.AuthenticationProviderService - Cannot bind with LDAP server: 
Error while query user DNs. 




Di Girolamo Mariano 
cell. +39 329 0552286 
tel. +39 0735 762626 3 
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) 
Italy 
tel. +39 0735 7626261 - www.tecnodata-srl.it 
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente 
confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è 
indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di 
segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto 
divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo 
abusivo delle informazioni qui contenute da parte di persone terze o comunque 
non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge. 


Da: "Nick Couchman"  
A: "user"  
Inviato: Lunedì, 31 luglio 2017 15:24:06 
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group 

Hmmm...that's not very useful. Does the user account you're using to bind for 
the search have access to the other OUs? Generally they do, unless you've 
specifically locked down that users permissions. 

Any error messages in the log file for your application server (Tomcat, JBoss - 
whatever you're using)? 

-Nick 

== He has shown you, O man, what is good; And what does the LORD require of you 
But to do justly, To love mercy, And to walk humbly with your God? --Micah 
6:8-- == 



On Monday, July 31, 2017, 3:29:36 AM EDT, Mariano Di Girolamo 
 wrote: 


Hi Nick, 
thanks for your reply. 
I changed the ldap-user-base-dn like your suggestion ( DC=test,DC=local ), but 
now nobody can access to guacamole. 
I don't use LDAP but samba4 domain controller. 



Di Girolamo Mariano 
cell. +39 329 0552286 
tel. +39 0735 762626 3 
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) 
Italy 
tel. +39 0735 7626261 - www.tecnodata-srl.it 
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente 
confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è 
indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di 
segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto 
divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo 
abusivo delle informazioni qui contenute da parte di persone terze o comunque 
non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge. 


Da: "Nick Couchman"  
A: "user"  
Inviato: Venerdì, 28 luglio 2017 23:11:39 
Oggetto: Re: LDAP_USER_BASE_DN pointing to an AD Security Group 

In order to accomplish what you're trying to do, you need to change your base 
DN to a higher-level. So, the following line: 

ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local 

would need to be changed to: 

ldap-user-base-dn: DC=test,DC=local 

Another option is to leave the base DN as you have it, enable Alias 
Dereferencing (see the manual) and then link any additional users into the 
guacamoleou OU object. 

Finally, there is a JIRA issue out there for changing LDAP behavior such that 
you can put multiple OUs in, but I don't think it has been implemented, yet. 

-Nick 


On Friday, July 28, 2017, 4:15:10 AM EDT, Mariano Di Girolamo 
 wrote: 


Hi Marco, 
I installed your patch on guacamole 0.9.12 and now only members to the group I 
specified on ldap-user-filter can access to guacamole, but this is true 
only if users are in the OU configured on ldap-user-base-dn. 
What can I do to enable users in different OU? 

This is my configuration on guacamole.properties: 

ldap-hostname: dc.test.local 
ldap-port: 389 
ldap-users-filter: memberOf=CN=guacgroup,DC=test,DC=local 
ldap-user-base-dn: OU=guacamoleou,DC=test,DC=local 
ldap-search-bind-dn: CN=guacamole,OU=guacamoleou,DC=test,DC=local 
ldap-search-bind-password: mypass 
ldap-username-attribute: sAMAccountName 


Thanks 



Di Girolamo Mariano 
cell. +39 329 0552286 
tel. +39 0735 762626 3 
Tecnodata s.r.l. - Via Val Tiberina, 23A - 63074 San Benedetto del Tronto (AP) 
Italy 
tel. +39 0735 7626261 - www.tecnodata-srl.it 
Il contenuto di questa e-mail e degli eventuali allegati, è strettamente 
confidenziale, non producibile in giudizio e destinato alla/e persona/e a cui è 
indirizzato. Se avete ricevuto per errore questa e-mail, Vi preghiamo di 
segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto 
divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo 
abusivo delle informazioni qui contenute da parte di persone terze o comunque 
non indicate nella presente e-mail, potrà essere perseguito ai sensi di legge. 


-- 
Questo messaggio e' stato analizzato ed e' risultato non infetto. 
This message w

RE: RE: Disable Hidden Menu

[Adrian Owen]

RDP to Windows and SSH to Linux all thru Guacamole.

From: Nick Couchman [mailto:nick.couch...@yahoo.com]
Sent: 02 August 2017 15:17
To: user@guacamole.incubator.apache.org
Subject: Re: RE: Disable Hidden Menu

What type of systems are you connecting to on the remote side?



On Wednesday, August 2, 2017, 10:15:19 AM EDT, Adrian Owen 
mailto:adrian.o...@eesm.com>> wrote:



Hi Nick,



Thanks for you explanation.



The reason is: Users are not allowed Clipboard access to remote computers.



Disabling Guacamole hidden menu, and ‘Browser Clipboard access’ meets the 
requirement.





Thanks, Adrian



From: Nick Couchman [mailto:nick.couch...@yahoo.com]
Sent: 02 August 2017 15:03
To: 
user@guacamole.incubator.apache.org
Subject: Re: Disable Hidden Menu



Adrian,

A couple of issues, here:



- Moving files out of the way in Tomcat like that isn't a very reliable way to 
make changes, since Tomcat will likely, at some point, re-deploy the web 
application and wipe out your changes.  It looks like moving that file and 
restarting doesn't necessarily trigger the redeploy of the original file, but 
it's still not a very reliable method for doing that.



- The client.html file is not the file responsible for the appearance of the 
hidden menu.  That code is buried in the app.js file that contains all of the 
other JavaScript code for Guacamole.  So, I would not expect moving this file 
out of the way to actually disable this menu, or at least not only disable the 
menu - it will probably cause other problems.  The fact that you're not seeing 
any changes after moving it probably has to do with caching on client, server, 
or both.



- I do not believe there is currently a way to disable the hidden menu.  Maybe 
you can add some detail about why you want to hide it, and you can also open a 
JIRA issue to request that as an enhancement, if you like, but it would 
probably be good to discuss a little further, here, and see what you're trying 
to accomplish and why.



Regards,

Nick



On Wednesday, August 2, 2017, 9:21:30 AM EDT, Adrian Owen 
mailto:adrian.o...@eesm.com>> wrote:


I renamed
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html
To
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html.old

And restarted tomcat8

But hidden menu still appears?

How to disable it?

Many thanks, Adrian

Re: RE: Disable Hidden Menu

[Nick Couchman]

What type of systems are you connecting to on the remote side?


On Wednesday, August 2, 2017, 10:15:19 AM EDT, Adrian Owen 
 wrote:

#yiv7020427795 #yiv7020427795 -- _filtered #yiv7020427795 
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv7020427795 
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv7020427795 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv7020427795 
#yiv7020427795 p.yiv7020427795MsoNormal, #yiv7020427795 
li.yiv7020427795MsoNormal, #yiv7020427795 div.yiv7020427795MsoNormal 
{margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv7020427795 a:link, 
#yiv7020427795 span.yiv7020427795MsoHyperlink 
{color:#0563C1;text-decoration:underline;}#yiv7020427795 a:visited, 
#yiv7020427795 span.yiv7020427795MsoHyperlinkFollowed 
{color:#954F72;text-decoration:underline;}#yiv7020427795 
span.yiv7020427795EmailStyle17 {color:#1F497D;}#yiv7020427795 
.yiv7020427795MsoChpDefault {font-size:10.0pt;} _filtered #yiv7020427795 
{margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv7020427795 
div.yiv7020427795WordSection1 {}#yiv7020427795 
Hi Nick,

  

Thanks for you explanation.

  

The reason is: Users are not allowed Clipboard access to remote computers. 

  

Disabling Guacamole hidden menu, and ‘Browser Clipboard access’ meets the 
requirement.

  

  

Thanks, Adrian

  

From: Nick Couchman [mailto:nick.couch...@yahoo.com] 
Sent: 02 August 2017 15:03
To: user@guacamole.incubator.apache.org
Subject: Re: Disable Hidden Menu

  

Adrian,

A couple of issues, here:

  

- Moving files out of the way in Tomcat like that isn't a very reliable way to 
make changes, since Tomcat will likely, at some point, re-deploy the web 
application and wipe out your changes.  It looks like moving that file and 
restarting doesn't necessarily trigger the redeploy of the original file, but 
it's still not a very reliable method for doing that.

  

- The client.html file is not the file responsible for the appearance of the 
hidden menu.  That code is buried in the app.js file that contains all of the 
other JavaScript code for Guacamole.  So, I would not expect moving this file 
out of the way to actually disable this menu, or at least not only disable the 
menu - it will probably cause other problems.  The fact that you're not seeing 
any changes after moving it probably has to do with caching on client, server, 
or both.

  

- I do not believe there is currently a way to disable the hidden menu.  Maybe 
you can add some detail about why you want to hide it, and you can also open a 
JIRA issue to request that as an enhancement, if you like, but it would 
probably be good to discuss a little further, here, and see what you're trying 
to accomplish and why.

  

Regards,

Nick

  


On Wednesday, August 2, 2017, 9:21:30 AM EDT, Adrian Owen 
 wrote:


I renamed 
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html
To
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html.old
 
And restarted tomcat8
 
But hidden menu still appears?
 
How to disable it?
 
Many thanks, Adrian
 
 

RE: Disable Hidden Menu

[Adrian Owen]

Hi Nick,

Thanks for you explanation.

The reason is: Users are not allowed Clipboard access to remote computers.

Disabling Guacamole hidden menu, and ‘Browser Clipboard access’ meets the 
requirement.


Thanks, Adrian

From: Nick Couchman [mailto:nick.couch...@yahoo.com]
Sent: 02 August 2017 15:03
To: user@guacamole.incubator.apache.org
Subject: Re: Disable Hidden Menu

Adrian,
A couple of issues, here:

- Moving files out of the way in Tomcat like that isn't a very reliable way to 
make changes, since Tomcat will likely, at some point, re-deploy the web 
application and wipe out your changes.  It looks like moving that file and 
restarting doesn't necessarily trigger the redeploy of the original file, but 
it's still not a very reliable method for doing that.

- The client.html file is not the file responsible for the appearance of the 
hidden menu.  That code is buried in the app.js file that contains all of the 
other JavaScript code for Guacamole.  So, I would not expect moving this file 
out of the way to actually disable this menu, or at least not only disable the 
menu - it will probably cause other problems.  The fact that you're not seeing 
any changes after moving it probably has to do with caching on client, server, 
or both.

- I do not believe there is currently a way to disable the hidden menu.  Maybe 
you can add some detail about why you want to hide it, and you can also open a 
JIRA issue to request that as an enhancement, if you like, but it would 
probably be good to discuss a little further, here, and see what you're trying 
to accomplish and why.

Regards,
Nick


On Wednesday, August 2, 2017, 9:21:30 AM EDT, Adrian Owen 
mailto:adrian.o...@eesm.com>> wrote:


I renamed
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html
To
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html.old

And restarted tomcat8

But hidden menu still appears?

How to disable it?

Many thanks, Adrian

Re: Disable Hidden Menu

[Nick Couchman]

Adrian,
A couple of issues, here:
- Moving files out of the way in Tomcat like that isn't a very reliable way to 
make changes, since Tomcat will likely, at some point, re-deploy the web 
application and wipe out your changes.  It looks like moving that file and 
restarting doesn't necessarily trigger the redeploy of the original file, but 
it's still not a very reliable method for doing that.
- The client.html file is not the file responsible for the appearance of the 
hidden menu.  That code is buried in the app.js file that contains all of the 
other JavaScript code for Guacamole.  So, I would not expect moving this file 
out of the way to actually disable this menu, or at least not only disable the 
menu - it will probably cause other problems.  The fact that you're not seeing 
any changes after moving it probably has to do with caching on client, server, 
or both.
- I do not believe there is currently a way to disable the hidden menu.  Maybe 
you can add some detail about why you want to hide it, and you can also open a 
JIRA issue to request that as an enhancement, if you like, but it would 
probably be good to discuss a little further, here, and see what you're trying 
to accomplish and why.
Regards,Nick

On Wednesday, August 2, 2017, 9:21:30 AM EDT, Adrian Owen 
 wrote:


I renamed 
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html
To
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html.old
  
And restarted tomcat8
  
But hidden menu still appears?
  
How to disable it?
  
Many thanks, Adrian
  
  

Re: Login to windows app using iphone Touch ID?

[Nick Couchman]

On Wednesday, August 2, 2017, 12:35:44 AM EDT, ivaldes1  
wrote:

> Just put in id and password into safari settings on iphone and enabled
> auto-fill, so far no good :-( Does not recognize or fill in the id or
> password. Then again, the Windows app itself is not a web page. I am not
> sure how to proceed. 

I'm not sure what you mean by this?  It's definitely a web page.
However, it looks like maybe some tags need to be added in the code to trigger 
the autofill functionality, so this may be a bug or enhancement.
-Nick
--
View this message in context: 
http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Login-to-windows-app-using-iphone-Touch-ID-tp1445p1454.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at 
Nabble.com.

CAS extensions with Docker?

[tako]

Just wondering, how would I enable the CAS extension through a docker image?
Don't see documentation for it on
http://guacamole.incubator.apache.org/doc/0.9.13-incubating/gug/cas-auth.html
but assuming it's just :



but would like confirmation.

Thanks!



--
View this message in context: 
http://apache-guacamole-incubating-users.2363388.n4.nabble.com/CAS-extensions-with-Docker-tp1458.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at 
Nabble.com.

Disable Hidden Menu

[Adrian Owen]

I renamed
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html
To
/var/lib/tomcat8/webapps/guacamole/app/client/templates/client.html.old

And restarted tomcat8

But hidden menu still appears?

How to disable it?

Many thanks, Adrian

Re: RES: [DISCUSS] Improving Guacamole Administration

[Nick Couchman]

Thiago,Thank you for the feedback!
Regards,Nick

On Thursday, July 27, 2017, 8:08:37 PM EDT, Thiago dos Santos Nunes 
 wrote:

#yiv0200967597 #yiv0200967597 -- _filtered #yiv0200967597 
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv0200967597 
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv0200967597 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv0200967597 
{panose-1:3 7 4 2 5 3 2 3 2 3;}#yiv0200967597 #yiv0200967597 
p.yiv0200967597MsoNormal, #yiv0200967597 li.yiv0200967597MsoNormal, 
#yiv0200967597 div.yiv0200967597MsoNormal 
{margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv0200967597 a:link, 
#yiv0200967597 span.yiv0200967597MsoHyperlink 
{color:#0563C1;text-decoration:underline;}#yiv0200967597 a:visited, 
#yiv0200967597 span.yiv0200967597MsoHyperlinkFollowed 
{color:#954F72;text-decoration:underline;}#yiv0200967597 
p.yiv0200967597msonormal0, #yiv0200967597 li.yiv0200967597msonormal0, 
#yiv0200967597 div.yiv0200967597msonormal0 
{margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv0200967597 
span.yiv0200967597EstiloDeEmail18 {color:windowtext;}#yiv0200967597 
span.yiv0200967597EstiloDeEmail20 {color:windowtext;}#yiv0200967597 
.yiv0200967597MsoChpDefault {font-size:10.0pt;} _filtered #yiv0200967597 
{margin:70.85pt 3.0cm 70.85pt 3.0cm;}#yiv0200967597 
div.yiv0200967597WordSection1 {}#yiv0200967597 
Hi Nick,
 
  
 
Pax!
 
  
 
Let's answer what I think would be interesting to work with guacamole with 
regard to the administration panel. I myself was one of the people who opened 
tickets on that. I will take advantage of and post the links of the tickets 
that can help for future conference on the administrative panel:
 
  
 
https://issues.apache.org/jira/browse/GUACAMOLE-248
 
  
 
https://issues.apache.org/jira/browse/GUACAMOLE-221
 
  
 
https://issues.apache.org/jira/browse/GUACAMOLE-220
 
  
 
https://issues.apache.org/jira/browse/GUACAMOLE-182
 
  
 
  
 
Today I work with a Guacamole server pool with MANY different clients directly 
connected to this pool (0.9.12 - MySQL) accessing their respective accounts and 
accessing their servers, only my team manages everything, including the 
creation of connections and users. We have problems because we can not release 
the administration to the clients and we can not let them associate the 
connections to the users (and if they associate the wrong connection 
intentionally they will connect in the server of another client).
 
  
 
  
 
Now what I think could be done:
 
  
 
* Batch management of user groups with different permissions (including 
different password permissions for each group, same in AD as we do for 
different OUs). Changing passwords of all users in a group at the same time or 
setting up for the exchange all that group would be fantastic. You can 
associate connections to user groups and not user per user (do this with 
300-500 users and you will see the hell it is). Also the option to create users 
in batch via txt, csv, would be great.
 
* Delegated administration of user groups: Create a sub administrator of a 
specific group of users with the permission to create users, change passwords, 
associate connections to these users. It would be essential if 
sub-administrators could have specific permissions, such as ACLs themselves, 
type, associate, but not read or write connections (not to see the passwords 
associated with the connections, changing the number of concurrent connections 
is also a problem), Or could read but not record, or do all that. Ditto do the 
same for user groups (create users, change passwords, etc.). It would also be 
desirable for administrators to view their users' specific sessions and kill 
only those sessions.
 
* The connection template would be great if we could modify what we wanted 
inside the child connections, even if it is part of the template. And also 
force the template application on all child connections.
 
* It would also be great if we could block the number of simultaneous accesses 
within a group of connections and force this on the number of hits on the 
specific connections (I have 50 connections in a group and instead of going one 
by one I change something in the group And command to force ON connections - 
such as the per-user limit or the total limit). And also the connection option 
in blocking inheritance.
 
* Applying a specific configuration to a group of connections at the same time 
and associating them for example to a template at the same time would be great. 
The bad part of both users and connections is having to do everything on hand 
one by one. It becomes impractical when you have too many connections.
 
  
 
GUACAMOLE is a fantastic solution and I am a great enthusiast of it. Thank you 
so much for listening!
 
  
 
God be with you!
 
  
 
  
 
Original text below:
 
  
 
Hi Nick,
 
  
 
PAX!
 
  
 
Vamos responder sobre o que acho que seria interessante de trabalhar com o 
guacamole no que se refere ao painel de adm

include listeners in extension?

[carl harris]

I want to make an extension that uses listeners for tunnel connect and close 
events. Looking at the extension documentation and the ExtensionManifest java 
class, it’s not obvious to me how to declare my listener classes. 

I found a JIRA issue [1] that is quite old, describing where to place a JAR 
file containing my listener classes and a configuration property 
“event-listeners” that can be set to identifier listeners.

Is there a way to do this that is part of the extension manifest mechanism or 
am I stuck modifying the server’s properties file, and putting my listeners in 
a jar file in the lib directory of GUACAMOLE_HOME?

carl

[1] https://glyptodon.org/jira/browse/GUAC-107