Hi Nick, sorry for not appearing by this place... I was busy with other projects.
I have included the jar to validate Tacacs authentication: [2023-04-01 01:05:59] [info] 01:05:59.560 [main] INFO o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" (mysql) loaded. [2023-04-01 01:05:59] [info] 01:05:59.730 [main] INFO o.a.g.extension.ExtensionModule - Extension "Tacacs Authentication Extension" (guac-tacacs) loaded. But when I restarted Tomcat, and this new Authentication provider is loaded, an error appears. This is the error: [2023-04-01 01:09:33] [info] 01:09:33.810 [http-nio-8080-exec-6] WARN o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: tacacs" within your guacamole.properties. [2023-04-01 01:09:33] [info] 01:09:33.821 [http-nio-8080-exec-6] ERROR o.a.g.rest.RESTExceptionMapper - An internal error occurred, but did not contain an error message. Enable debug-level logging for details. Into extensions directory are two jars: One required to Tacacs Authentication and other for retrieving connections groups information (MySQL) ls -ltr /etc/guacamole/extensions total 6704 -rw-rw-r-- 1 1001 1001 6102374 dic 29 2021 guacamole-auth-jdbc-mysql-1.4.0.jar -rw-r--r-- 1 root root 758237 abr 1 00:43 guacamole-auth-tacacs-1.4.0.jar What seems to be the trouble? -Gabriel -----Mensaje original----- De: Nick Couchman <[email protected]> Enviado el: miércoles, 15 de marzo de 2023 08:49 a. m. Para: [email protected] Asunto: Re: Change to the way of authenticating provided by Guacamole On Tue, Mar 14, 2023 at 7:36 PM Gabriel Huerta Araujo <[email protected]<mailto:[email protected]>> wrote: > > I found class SharedAuthenticationProviderService, which has below > method(authenticateUser). It receives credentials of Credentials type. Below > is its definition: > > @Override > public AuthenticatedUser authenticateUser(AuthenticationProvider > authenticationProvider, > Credentials credentials) throws GuacamoleException { > > // Check whether user is authenticating with a valid sharing key > AuthenticatedUser user = > sharingService.retrieveSharedConnectionUser(authenticationProvider, > credentials); > if (user != null) > return user; > > // Otherwise, unauthorized > throw new GuacamoleInvalidCredentialsException("Invalid > login", CredentialsInfo.USERNAME_PASSWORD); > > } > > By above code, I think I have to make call to Perl invocation before > retrieving authenticated user, and then compare with it. If their credentials > are diferents, to update credentials with Tacacs value using > updateUserContext function. > > How do you see my implementation proposal? A couple of things: * I would not look at the ShareAuthenticationProviderService as an example of this - it is fairly complex in creating temporary tokens and authenticating users temporarily. The simplest module out there is probably the guacamole-auth-header module, and it might be a better starting point for you to create a simple authentication extension that will call the Perl script. * It would be better to avoid trying to change an existing authentication module, you should take the time to fully implement a new one. You can use the header extension as a starting point, but you should take the time to name the classes properly, set up any logging you feel is necessary, etc. Even if you copy the existing header extension and make changes, make sure you rename the classes, remove items that aren't required, etc. It'll help you out in the long run. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected]<mailto:[email protected]> For additional commands, e-mail: [email protected]<mailto:[email protected]>
