Nick,
Thanks for that explanation. You may see from other messages in the thread that the user I was testing with was showing up in the guacamole_user_history table with a user_id of NULL.
Without auto-create turned on, I'm confused as to how the accounts that do exist were created. I'm going to have to snapshot this VM and then adjust add the auto-create (after I read the reference you provided).
Along with that -- how do I verify that the guacamole_user has the proper privileges? I used the grant select,insert,update,delete sql command that many pages suggest... but those changes never stick, even after the flush privileges command.
Thanks
Jim
Sent: Wednesday, August 25, 2021 at 3:35 PM
From: "Nick Couchman" <vn...@apache.org>
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list
From: "Nick Couchman" <vn...@apache.org>
To: user@guacamole.apache.org
Subject: Re: New Active Directory users not showing in user list
On Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer <csaw...@yumaed.org> wrote:
Huh, If they are logged into Guacamole, then they by definition have
a guac account, so I'm confused as to why they aren't showing up in
the list. Perhaps someone else here will have some ideas.
There may be some confusion here as to what it means to "have a guac account." If you've enabled both the MySQL JDBC extension and the LDAP extensions, then users only need to exist in one of these two extensions in order to successfully authenticate. They do not have to be in both, and LDAP users do not have to have an entry in MySQL in order to successfully log in, nor does a successful login mean that the users will be automatically created - unless you enable this feature. See this manual page for more information:
Looking at the guacamole.properties output that was posted in the original question, I do not see the "mysql-auto-create-accounts" property anywhere, so Guacamole is not creating an entry for these users in the database.
Also, it's important to understand that the default "guacadmin" account in the JDBC extensions will have *no visibility* into the LDAP tree to see possible users, unless you happen to have an LDAP user called "guacadmin" with the same password that is in the JDBC account. The LDAP extension leverages LDAP security for both the login and the retrieval of user and group information from LDAP. This tends to trip people up a bit, but it is a very deliberate design of the LDAP extension - it does not use the Search Bind DN for all or even most LDAP operations - it only uses the Search Bind DN to find the user who is trying to log in - once it locates that user, it unbinds and then re-binds as that user account and continues to retrieve other user accounts, LDAP groups, and/or connection information stored in LDAP. This means that, in order to see users, groups, and connections from LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs to successfully bind to LDAP.
-Nick
