Hi again,
Please consider the following database data.
guacamole_entity:
entity_id | name | type
-----------+---------+------
3 | my_user | USER
entity_id | name | type
-----------+----------------------------+------------
159 | my_standard_user_group | USER_GROUP
160 | my_super_user_group | USER_GROUP
161 | my_admin_group | USER_GROUP
guacamole_user:
user_id | disabled | expired
---------+----------+---------
3 | f | f
guacamole_user_group:
user_group_id | entity_id | disabled
---------------+-----------+----------
3 | 161 | f
user_group_id | entity_id | disabled
---------------+-----------+----------
2 | 160 | f
user_group_id | entity_id | disabled
---------------+-----------+----------
1 | 159 | f
Table guacamole_user_group_member is empty (no records).
Table guacamole_sharing_profile is also empty.
"SELECT * FROM guacamole_system_permission;":
entity_id | permission
-----------+-------------------------
1 | CREATE_CONNECTION
1 | CREATE_CONNECTION_GROUP
1 | CREATE_SHARING_PROFILE
1 | CREATE_USER
1 | CREATE_USER_GROUP
1 | ADMINISTER
161 | CREATE_CONNECTION
161 | CREATE_CONNECTION_GROUP
161 | CREATE_SHARING_PROFILE
161 | CREATE_USER
161 | CREATE_USER_GROUP
161 | ADMINISTER
Table guacamole_sharing_profile_permission is empty.
"SELECT connection_id FROM guacamole_connection WHERE connection_name LIKE
'%my_user_conn%';"
connection_id
---------------
85
"SELECT * FROM guacamole_connection_permission WHERE connection_id = '85';";
entity_id | connection_id | permission
-----------+---------------+------------
3 | 85 | READ
>From the Guacamole client web UI if I edit the user I can see that it doesn't
>belong to any group.
However, I'm "expecting" in a SAML/SSO authenticated system that Guacamole
should be aware of the user/group relationships.
Is the assumption incorrect?
As far as connections are concerned Guacamole shows a user's "personal" and
group connections, eg. user with entity_id 3 will see both connection with
connection_id 85 and connections with group entity_id 159-161.
That works even with an empty guacamole_user_group_member table.
The groups are named just like the ones provisioned by the IdP.
"SELECT * FROM guacamole_connection_permission WHERE entity_id IN ('159',
'160', '161');":
entity_id | connection_id | permission
-----------+---------------+------------
160 | 137 | READ
160 | 138 | READ
160 | 139 | READ
160 | 140 | READ
160 | 141 | READ
160 | 142 | READ
159 | 143 | READ
159 | 144 | READ
So, what seems to work for connections with SAML/SSO groups doesn't seem to
work for user/group permissions such as sharing profile, etc.
Is it required to manually associate a user to a group in the guacd database or
via guacamole client web UI even in the case of "IdP groups" (in my case
my_user is a member of my_admin_group)?
In any case, I tried to add the user to the group with sharing profile enabled
via the web UI (not that I'm looking forward to doing this as I don't
necessarily know or need to know the user/group relationships). I can see that
the DB table is updated:
"SELECT * FROM guacamole_user_group_member;":
user_group_id | member_entity_id
---------------+------------------
3 | 3
However, even after logging out and back in I still can't see the Sharing
dropdown menu with my_user connected to connection_id 85.
What am I doing wrong?
Regards,
Vieri
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
