On Tue, Apr 17, 2018 at 7:08 AM, Nick Couchman <[email protected]> wrote:
> On Tue, Apr 17, 2018 at 12:15 AM, Mike Jumper <[email protected]> > wrote: > >> On Mon, Apr 16, 2018 at 7:27 PM, Fertig, Brian <[email protected]> >> wrote: >> >>> Mike, >>> >>> >>> >>> Once again you and your team are awesome! >>> >> >> Thanks, but to be clear: Apache Guacamole is developed by a community, >> not by any individual's team. >> >> So I have mysql then failover to radius setup for authentication. By >>> leaving mysql 1st and the user trying to authenticate its not going to >>> cause conflicts is it? >>> >> >> No, this shouldn't conflict. All extensions will be polled during the >> authentication process. If any authentication attempt succeeds, that >> successful attempt is used to identify the user to all other installed >> extensions. If all attempts fail, then the first failed attempt determines >> the nature of the login screen presented to the user. >> > > I did see an issue, at one point, where the RADIUS module needed to be > loaded before other modules in order to work. I don't remember the > specific circumstances, but it seems like if authentication failed for a > user in one of the previous modules the RADIUS module would not even been > evaluated. I don't know if this is a bug that should be addressed or just > an artifact of how the module stacking works with RADIUS, but, if you run > into issues with this, you might try renaming the RADIUS authentication > module and reloading Guacamole Client (Tomcat) so that it loads the RADIUS > module, first. In my case, I just put a 0 in front of radius - > guacamole-auth-0-radius.jar - to force it to authenticate with that > extension before the others. > I'm not sure what might be happening to produce that result. The relevant code handling that part of the auth process is: https://github.com/apache/guacamole-client/blob/aac9d8795cb257b259259097fff8c540439d746b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java#L163-L179 Each auth provider is tried, in order, with any successful result overriding the error results of all other auth providers. If no result is successful, then the first authentication-related exception is rethrown, defaulting to a standard username/password prompt if there aren't any explicit failures. Any non-authentication exception will immediately halt the process, though. - Mike
