On Tue, Mar 19, 2019 at 7:56 PM Dmitry Katsubo <dm...@mail.ru> wrote:
> Dear Guacamole community, > > I have difficulties with setting up HTTP header authenticator. I have read > the manual ([1]) but I still cannot make it working. > > First of all I am not sure if I should set "auth-provider" property in > /etc/guacamole/guacamole.properties, e.g. do I need to add: > > auth-provider: > org.apache.guacamole.auth.header.HTTPHeaderAuthenticationProvider > No, you do not need this - this option has been completely removed from the code and has no effect. > > ? > > If I leave it unset, I get the following log: > > 20:38:21.077 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule > - Loading extension: "guacamole-auth-header-1.0.0.jar" > 20:38:21.708 [localhost-startStop-1] INFO o.a.g.extension.ExtensionModule > - Extension "HTTP Header Authentication Extension" loaded. > 20:38:21.914 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule > - Binding AuthenticationProvider > "org.apache.guacamole.auth.file.FileAuthenticationProvider". > ... > 20:38:35.919 [http-nio-127.0.0.1-8080-exec-5] INFO > o.a.g.r.auth.AuthenticationService - User "admin" successfully > authenticated from [10.14.1.22, 127.0.0.1]. > 20:38:35.922 [http-nio-127.0.0.1-8080-exec-5] DEBUG > o.a.g.a.f.FileAuthenticationProvider - Reading user mapping file: > "/etc/guacamole/user-mapping.xml" > 20:38:35.949 [http-nio-127.0.0.1-8080-exec-5] DEBUG > o.a.g.r.auth.AuthenticationService - Login was successful for user "admin". > This is good - it indicates that the HEADER module is installed correctly, loading, and functioning. > > and after I open Guacamole I see "admin" user name in right top corner > (hence HTTP header authenticator worked OK), but I am not automatically > connected to the server. I suppose I need to add an entry > to /etc/guacamole/user-mapping.xml, so I did: > > <user-mapping> > <authorize username="admin"> > <connection name="vnc"> > <protocol>vnc</protocol> > <param name="hostname">vncserver</param> > <param name="port">5901</param> > <param name="password">secret</param> > <param name="clipboard-encoding">UTF-8</param> > </connection> > </authorize> > </user-mapping> > > but that does not help (same result after restarting Tomcat). What I want > to achieve is that authenticated user is automatically connected to VNC > server. > This is where I get a little fuzzy - it's been quite a while since I actually used the file authentication module for much of anything. I believe their may be some limitations to the stacking done with that module - that is, I don't know that the file authentication module actually recognizes the user accounts as authenticated from other modules. I'm not saying for certain that it doesn't, just that there's some distant memory I have that maybe that module doesn't work that way, and that connections specified in the File provider will not necessarily be available to users authenticated through other modules. You say that you don't get automatically connected to the VNC server - do you see the connection at all on the home screen? Or is it a blank screen, with no connections? My suggestion would be to use the JDBC module to store connections. It requires a little bit of extra work and a few extra resources to configure, but definitey works with the other modules and also gives you some flexibility in permission management among users. > > Another note concerning the structure of user-mapping.xml. [2] reads the > following: > > Each user is specified with a corresponding <authorize> tag. This tag > contains all authorized connections for that user, each denoted with a > <connection> tag. > > however one page before it provides an example where <authorize> tag not > necessarily contains <connection>: > > <authorize username="USERNAME" password="PASSWORD"> > <protocol>vnc</protocol> > <param name="hostname">localhost</param> > <param name="port">5900</param> > <param name="password">VNCPASS</param> > </authorize> > > So what is the rule: should <authorize> contain <connection>s tags or can > it also describe one connection? > The File provider handles both cases - either the single connection specified within the <authorize></authorize> context, or multiple connections specified within their own <connection></connection> contexts. -Nick
