Hey JP,

That is correct, it is still doing the redirect to the IDP, I have made sure to 
disable to Duo plugin when enabling IDP, by renaming the file to .jar.bak.

I have the files in /etc/guacamole (guacamole.properties), and 
/etc/guacamole/extensions. I have symlinked these to the tomcat home directory, 
which I can try removing.

I agree, it does not look like it is getting the info it needs back, however I 
don’t know enough about OpenID to tell if it’s due to incorrect properties in 
guacamole.properties, or if it is a problem in the extension or reverse proxy.

Thanks,

Justin

________________________________
From: JP Harvey <jphar...@cloudquarterback.com>
Sent: Monday, February 12, 2018 12:22:55 PM
To: user@guacamole.apache.org
Subject: RE: OpenID-Connect HTTP 500

Hey Justin,

Is it still doing the redirect loop to the IDP? I enabled debug logging in our 
container and our logs are the same up until this point:

18:59:37.502 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Opening JDBC Connection
18:59:37.733 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Created connection 1647012044.
18:59:37.733 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Testing connection 1647012044 ...
18:59:37.772 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Connection 1647012044 is GOOD!
18:59:37.774 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - 
==>  Preparing: SELECT guacamole_user.user_id, guacamole_user.username, 
password_hash, password_salt, password_date, disabled, expired, 
access_window_start, access_window_end, valid_from, valid_until, timezone, 
full_name, email_address, organization, organizational_role, MAX(start_date) AS 
last_active FROM guacamole_user LEFT JOIN guacamole_user_history ON 
guacamole_user_history.user_id = guacamole_user.user_id WHERE 
guacamole_user.username = ? GROUP BY guacamole_user.user_id
18:59:37.802 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - 
==> Parameters: null
18:59:37.842 [http-bio-8080-exec-9] DEBUG o.a.g.a.j.user.UserMapper.selectOne - 
<==      Total: 0
18:59:37.847 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Resetting autocommit to true on JDBC Connection 
[org.postgresql.jdbc.PgConnection@622b68cc]
18:59:37.859 [http-bio-8080-exec-9] DEBUG o.a.i.t.jdbc.JdbcTransaction - 
Closing JDBC Connection [org.postgresql.jdbc.PgConnection@622b68cc]
18:59:37.860 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Testing connection 1647012044 ...
18:59:37.870 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Connection 1647012044 is GOOD!
18:59:37.871 [http-bio-8080-exec-9] DEBUG o.a.i.d.pooled.PooledDataSource - 
Returned connection 1647012044 to pool.
18:59:37.871 [http-bio-8080-exec-9] DEBUG o.a.g.a.f.FileAuthenticationProvider 
- User mapping file "/etc/guacamole/user-mapping.xml" does not exist and will 
not be read.
18:59:37.872 [http-bio-8080-exec-9] DEBUG o.a.g.r.auth.AuthenticationService - 
Anonymous authentication attempt from [10.0.1.203, 10.0.60.20] failed.

At that point, we get this in the logs:

16:52:02.922 [http-nio-8080-exec-5] DEBUG org.jose4j.jwk.HttpsJwks - 
Refreshing/loading JWKS from 
https://<our_idp_redacted.url>/common/discovery/keys

Followed by more IDP stuff, where as yours just repeats the select from the 
database without logging anything about getting the keys from the IDP.

To isolate variables maybe get rid of Duo auth completely (don't load the jar 
file) in case it's causing an issue and test again (we get stuck in a Duo loop 
when we try it with OpenID anyway, so not sure it's going to work for you) , 
and verify that your config/extension files are indeed in /etc/guacamole which 
is where it has set GUACAMOLE_HOME. If it is doing the redirect to the IDP then 
I'd guess it's still not getting back what it needs in terms of attributes, 
although there is nothing in the logs so maybe the openid connect extension 
does not have any debug logging.

JP

-----Original Message-----
From: just_insane [mailto:jus...@justin-tech.com]
Sent: Monday, February 12, 2018 06:58
To: user@guacamole.apache.org
Subject: OpenID-Connect HTTP 500

Hey JP,

So I changed the proxy_pass from http://guacamole/guacamole/ to 
http://guacamole/ and re-ran the tests after updating the redirect URL in 
guacamole.properties and keycloak.

Here are the logs from tomcat (on pastebin): https://pastebin.com/cqAsvK5s

Based on the logs, it appears to be trying to authenticate against JDBC
(Postgres) anonymously. I am not sure why this is happening, since I changed 
the name of the auth extension so that it loads first. Note that I do have 
users in postgres, would this make a difference?

Regards,

Justin



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Reply via email to