Dear Guacamole community,
I have difficulties with setting up HTTP header authenticator. I have read the
manual ([1]) but I still cannot make it working.
First of all I am not sure if I should set "auth-provider" property in
/etc/guacamole/guacamole.properties, e.g. do I need to add:
auth-provider: org.apache.guacamole.auth.header.HTTPHeaderAuthenticationProvider
?
If I leave it unset, I get the following log:
20:38:21.077 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule -
Loading extension: "guacamole-auth-header-1.0.0.jar"
20:38:21.708 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule -
Extension "HTTP Header Authentication Extension" loaded.
20:38:21.914 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule -
Binding AuthenticationProvider
"org.apache.guacamole.auth.file.FileAuthenticationProvider".
...
20:38:35.919 [http-nio-127.0.0.1-8080-exec-5] INFO
o.a.g.r.auth.AuthenticationService - User "admin" successfully authenticated
from [10.14.1.22, 127.0.0.1].
20:38:35.922 [http-nio-127.0.0.1-8080-exec-5] DEBUG
o.a.g.a.f.FileAuthenticationProvider - Reading user mapping file:
"/etc/guacamole/user-mapping.xml"
20:38:35.949 [http-nio-127.0.0.1-8080-exec-5] DEBUG
o.a.g.r.auth.AuthenticationService - Login was successful for user "admin".
and after I open Guacamole I see "admin" user name in right top corner (hence
HTTP header authenticator worked OK), but I am not automatically connected to
the server. I suppose I need to add an entry
to /etc/guacamole/user-mapping.xml, so I did:
<user-mapping>
<authorize username="admin">
<connection name="vnc">
<protocol>vnc</protocol>
<param name="hostname">vncserver</param>
<param name="port">5901</param>
<param name="password">secret</param>
<param name="clipboard-encoding">UTF-8</param>
</connection>
</authorize>
</user-mapping>
but that does not help (same result after restarting Tomcat). What I want to
achieve is that authenticated user is automatically connected to VNC server.
Another note concerning the structure of user-mapping.xml. [2] reads the
following:
Each user is specified with a corresponding <authorize> tag. This tag
contains all authorized connections for that user, each denoted with a
<connection> tag.
however one page before it provides an example where <authorize> tag not
necessarily contains <connection>:
<authorize username="USERNAME" password="PASSWORD">
<protocol>vnc</protocol>
<param name="hostname">localhost</param>
<param name="port">5900</param>
<param name="password">VNCPASS</param>
</authorize>
So what is the rule: should <authorize> contain <connection>s tags or can it
also describe one connection?
Addendum:
The connection prerequisites are certainly correct, as before I was using
NoAuth provider without any complications:
11:40:29.188 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule -
Loading extension: "guacamole-auth-noauth-1.0.0.jar"
11:40:29.319 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule -
Extension "Disabled Authentication" loaded.
...
12:16:52.343 [http-nio-127.0.0.1-8080-exec-3] INFO
o.a.g.r.auth.AuthenticationService - User "admin" successfully authenticated
from [10.14.1.22, 127.0.0.1].
12:16:52.356 [http-nio-127.0.0.1-8080-exec-3] DEBUG
o.a.g.a.n.NoAuthenticationProvider - Configuration file
"/etc/guacamole/noauth-config.xml" has been modified.
12:16:52.356 [http-nio-127.0.0.1-8080-exec-3] DEBUG
o.a.g.a.n.NoAuthenticationProvider - Reading configuration file:
"/etc/guacamole/noauth-config.xml"
12:16:52.441 [http-nio-127.0.0.1-8080-exec-3] DEBUG
o.a.g.r.auth.AuthenticationService - Login was successful for user "admin".
12:16:53.708 [http-nio-127.0.0.1-8080-exec-12] DEBUG
o.a.g.net.InetGuacamoleSocket - Connecting to guacd at localhost:4822.
12:16:53.884 [http-nio-127.0.0.1-8080-exec-12] INFO
o.a.g.tunnel.TunnelRequestService - User "admin" connected to connection
"localhost".
[1] http://guacamole.apache.org/doc/gug/header-auth.html
[2] http://guacamole.apache.org/doc/gug/configuring-guacamole.html#basic-auth
Thanks for any help in advance.
--
With best regards,
Dmitry
