On Sun, Feb 24, 2019 at 12:01 AM drhy <[email protected]> wrote:
> Hi Nick, > > A further clarification from PlayerOne and myself. > > We have been testing Radius with MySQL and have been able to successfully > configure a Guacamole Group with Connections attached to it. When we then > make Guacamole Users members of that Group, only the Users who are > Guacamole > Administrators see the Group's Connections. So in practice ordinary > (non-Admin) Users don't see any Connections. (The Users and the Group match > the User, Group and Group membership in Active Directory.) > It's probably related to one of two currently opened issues: https://issues.apache.org/jira/browse/GUACAMOLE-696 https://issues.apache.org/jira/browse/GUACAMOLE-715 The first issue deals with the fact that group permissions within the database are not applied to users authenticated under a different extensions. So, for example if you have "Group 1" in JDBC, with "User 1" as a member of that group, you've assigned permissions to "Group 1" for a certain connection, and "User 1" authenticates with RADIUS, the permissions assigned to "Group 1" will *not* be applied. This is a slight nuance in how permissions are applied, and will likely be tweaked to function more how people expect it to work in 1.1.0. In 1.0.0, you'd have to have "Group 1" present in the RADIUS extension (which doesn't do groups at all, so that would be difficult), or you'd have to assign permissions directly to "User 1" in the JDBC module. The second issue is a bug that requires that, for groups matched between authentication extensions (specifically between LDAP and JDBC), users are not given permissions of their group unless they already exist in the JDBC extension. This is unintended behavior, and should also be corrected in 1.1.0. I suspect the scenario you're hitting is the one documented in 696. -Nick
