[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16821214#comment-16821214 ]
David Chuha commented on GUACAMOLE-715: --------------------------------------- [~nick.couch...@yahoo.com], yes I am able to connect without the permissions error under the following scenarios: # Using guacadmin # Using an LDAP account that has been assigned JDBC permissions as administrator # Using an LDAP account that has been assigned explicit permissions to a resource using JDBC # Using an LDAP account that has been assigned to a JDBC group that has been assigned permission to a resource Note that under 1.0.0 I wasn't able to even see the connections under the scenario discussed in this ticket (LDAP user in an LDAP group named identically to a JDBC group that has been assigned permissions to a resource) which at least that part has been fixed for me. Also, I am using a large/complex active directory and was affected by GUACAMOLE-702 (which does fix the login issue) and would also benefit from the fixes in GUACAMOLE-234. Just in case the 1000 result search limit could be affecting this, I restricted the search base and filter enough so that I am not seeing the search limit exceeded errors but I continue to get the permission error. I'm also going to setup a second test instance and database and see if I get any different results. > Permission management based on LDAP groups not working as documented > -------------------------------------------------------------------- > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap > Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. > Reporter: Micha Kohl > Assignee: Nick Couchman > Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)