Mike,
Thank you for your detailed explanation. I believe all four conditions you've listed are true, and yet about 20 out of 150 users do not appear in the admin interface. We aren't having authentication issues. The users who don't appear in the webui can log in just fine. However, because they are not in the webui, I cannot assign connections to them, so when they log in they don't have anywhere to go. I will step through the conditions just to make sure I don't miss anything.
1) Guacadmin is in Active Directory as a standard user
2) Guacadmin is an admin user in the webui
3) The ldap-user binding in guacamole.properties is a service account assigned as a domain administrator in AD
4) The LDAP base is the entire domain, with a filter matching only normal user accounts (based on sAMAccountType). I can tell this is working because we have user accounts in the webui that come from different AD OU.
One might think that the disconnect between guacadmin as a normal user in LDAP and the SVC.GUACAMOLE account being a Domain Admin could cause issues... but the majority of the LDAP users do appear in and are manipulated/managed by the webui, specifically connetion assignments.
Any other information or analysis you might provide would be most appreciated. This system is in 'production', so I have limited ability to do more than view the configurations during the day for the next week or so, until we cycle down.
Thanks
Jim
Sent: Wednesday, August 25, 2021 at 4:06 PM
From: "Mike Jumper" <[email protected]>
To: [email protected]
Subject: Re: New Active Directory users not showing in user list
From: "Mike Jumper" <[email protected]>
To: [email protected]
Subject: Re: New Active Directory users not showing in user list
A user does not need to exist within the database to be able to log in, nor will they be automatically added to the database upon login.
The entry you see in the database is _not_ the user being created, nor is it the user being partially created. It's the system recording that a login for a user occurred. There is no database permissions issue.
To be clear, a user does not need to exist in the database for the user to be able to log in, nor do they need to exist in the database to be listed in the admin screen:
* If a user can log in, that means that at least one authentication extension recognizes that user's credentials and has validated their identity. If you only have a database extension installed, then yes, this means they exist in the database. If you have both LDAP and a database extension installed, then this means they exist in LDAP or the database, etc.
* If a user is listed in the admin interface, it means that the current user has permission to see that user according to at least one authentication extension. That user may exist in both LDAP and the database, they may exist only in LDAP, or they may exist only in the database.
* There is an option to automatically create database users, but this is not needed except when using an extension that requires storage for all users (the TOTP extension). You do not need to enable this option simply to be able to see users, log in as those users, etc.
If you are expecting to see LDAP users within the admin interface, but aren't, the way to troubleshoot that is not to execute queries against the database (which truly has nothing to do with LDAP), but to check the details of your user within LDAP.
To see an LDAP user within the admin interface, the following must be true:
1) You must log in with LDAP credentials, not database credentials. You will not be able to see LDAP objects of any kind unless your credentials are recognized by the LDAP server, as it's your access rights within LDAP that dictate visibility of LDAP objects.
2) You must log in with LDAP credentials that match a user with admin privileges in the database.
3) Your LDAP user must have permission within LDAP to retrieve the details of the user in question.
4) The user in question must match the declared LDAP structure within guacamole.properties. This means they must be beneath the declared user base DN. If you specified an LDAP user search filter within guacamole.properties, the user must match that, too.
On Wed, Aug 25, 2021 at 1:54 PM Jim Rx <[email protected]> wrote:
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]Nick,Thanks for that explanation. You may see from other messages in the thread that the user I was testing with was showing up in the guacamole_user_history table with a user_id of NULL.Without auto-create turned on, I'm confused as to how the accounts that do exist were created. I'm going to have to snapshot this VM and then adjust add the auto-create (after I read the reference you provided).Along with that -- how do I verify that the guacamole_user has the proper privileges? I used the grant select,insert,update,delete sql command that many pages suggest... but those changes never stick, even after the flush privileges command.ThanksJimSent: Wednesday, August 25, 2021 at 3:35 PM
From: "Nick Couchman" <[email protected]>
To: [email protected]
Subject: Re: New Active Directory users not showing in user listOn Wed, Aug 25, 2021 at 4:22 PM Craig Sawyer <[email protected]> wrote:Huh, If they are logged into Guacamole, then they by definition have
a guac account, so I'm confused as to why they aren't showing up in
the list. Perhaps someone else here will have some ideas.
There may be some confusion here as to what it means to "have a guac account." If you've enabled both the MySQL JDBC extension and the LDAP extensions, then users only need to exist in one of these two extensions in order to successfully authenticate. They do not have to be in both, and LDAP users do not have to have an entry in MySQL in order to successfully log in, nor does a successful login mean that the users will be automatically created - unless you enable this feature. See this manual page for more information:Looking at the guacamole.properties output that was posted in the original question, I do not see the "mysql-auto-create-accounts" property anywhere, so Guacamole is not creating an entry for these users in the database.Also, it's important to understand that the default "guacadmin" account in the JDBC extensions will have *no visibility* into the LDAP tree to see possible users, unless you happen to have an LDAP user called "guacadmin" with the same password that is in the JDBC account. The LDAP extension leverages LDAP security for both the login and the retrieval of user and group information from LDAP. This tends to trip people up a bit, but it is a very deliberate design of the LDAP extension - it does not use the Search Bind DN for all or even most LDAP operations - it only uses the Search Bind DN to find the user who is trying to log in - once it locates that user, it unbinds and then re-binds as that user account and continues to retrieve other user accounts, LDAP groups, and/or connection information stored in LDAP. This means that, in order to see users, groups, and connections from LDAP, the user logging in to Guacamole needs to be an LDAP user, and needs to successfully bind to LDAP.-Nick
