[
https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16821994#comment-16821994
]
David Chuha commented on GUACAMOLE-715:
---------------------------------------
[~nick.couch...@yahoo.com]: I believe I've found the issue. From the debug log
during the (sanitized):
{noformat}
17:44:11.240 [http-bio-8080-exec-10] DEBUG
o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Preparing: SELECT
guacamole_entity.name FROM guacamole_user_group JOIN guacamole_entity ON
guacamole_user_group.entity_id = guacamole_entity.entity_id JOIN
guacamole_user_group_member ON guacamole_user_group.user_group_id =
guacamole_user_group_member.user_group_id WHERE guacamole_user_group.disabled =
false AND ( guacamole_user_group_member.member_entity_id = ? OR
guacamole_user_group_member.member_entity_id IN ( SELECT entity_id FROM
guacamole_entity WHERE type = 'USER_GROUP' AND name IN ( ? , ? , ? ) ) OR
guacamole_user_group.entity_id IN ( SELECT entity_id FROM guacamole_entity
WHERE type = 'USER_GROUP' AND name IN ( ? , ? , ? ) ) )
17:44:11.241 [http-bio-8080-exec-10] DEBUG
o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Parameters: null,
test-rdp-users-1(String), test-rdp-users-2(String), test-rdp-users-3(String),
test-rdp-users-1(String), test-rdp-users-2(String), test-rdp-users-3(String)
17:44:11.249 [http-bio-8080-exec-10] DEBUG
o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - <== Total: 0
17:44:11.249 [http-bio-8080-exec-10] DEBUG
o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public
java.util.Set<java.lang.String>
org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<?
extends
org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)]
- SqlSession of thread: 27 committing
17:44:11.249 [http-bio-8080-exec-10] DEBUG
o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public
java.util.Set<java.lang.String>
org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions<?
extends
org.apache.guacamole.auth.jdbc.base.EntityModel>,java.util.Collection<java.lang.String>)]
- SqlSession of thread: 27 terminated its life-cycle, closing it
17:44:11.249 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Resetting autocommit to true on JDBC Connection
[com.mysql.jdbc.JDBC4Connection@698b9337]
17:44:11.254 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Closing JDBC Connection [com.mysql.jdbc.JDBC4Connection@698b9337]
17:44:11.254 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource -
Testing connection 1770754871 ...
17:44:11.258 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource -
Connection 1770754871 is GOOD!
17:44:11.258 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource -
Returned connection 1770754871 to pool.
17:44:11.259 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Opening JDBC Connection
17:44:11.259 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource -
Checked out connection 1154201441 from pool.
17:44:11.259 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource -
Testing connection 1154201441 ...
17:44:11.264 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource -
Connection 1154201441 is GOOD!
17:44:11.264 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction -
Setting autocommit to false on JDBC Connection
[com.mysql.jdbc.JDBC4Connection@44cbb761]
17:44:11.268 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.p.S.selectOne - ==>
Preparing: SELECT DISTINCT ? AS entity_id, permission FROM
guacamole_system_permission WHERE ( entity_id = ? ) AND permission = ?
17:44:11.268 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.p.S.selectOne - ==>
Parameters: null, null, ADMINISTER(String)
17:44:11.273 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.p.S.selectOne - <== Total:
0{noformat}
The select statement is returning zero results. The issue is that I do not
have any JDBC users assigned to the groups specified and so the part of the
join with guacamole_user_group_member fails as there are no matches. If I add
at least one JDBC user to the JDBC group, it works. So a valid workaround is
to add guacadmin to each JDBC group created. In that scenario, the LDAP user
does not need to be created in JDBC or assigned to JDBC groups and everything
works correctly.
Alternatively, if we make the join with guacamole_user_group_member a left
join, it works properly.
{noformat}
SELECT guacamole_entity.name FROM guacamole_user_group JOIN guacamole_entity ON
guacamole_user_group.entity_id = guacamole_entity.entity_id LEFT JOIN
guacamole_user_group_member ON guacamole_user_group.user_group_id =
guacamole_user_group_member.user_group_id{noformat}
I don't know the code base well enough to determine if that is the right
approach or if we can even just get rid of the join to
guacamole_user_group_member. It's columns aren't used in this query but I'm
guessing it was done to filter out jdbc groups that aren't in use which isn't
applicable to the mixed authentication setup but I can't say for sure.
[~nick.couch...@yahoo.com], can you reproduce this if you make sure the JDBC
groups have no JDBC members? Do you want me to raise this as a new issue?
> Permission management based on LDAP groups not working as documented
> --------------------------------------------------------------------
>
> Key: GUACAMOLE-715
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-715
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap
> Affects Versions: 1.0.0
> Environment: I'm running guacamole in a docker environment using the
> official base images and a MySQL database. Users are authenticated against an
> Active Directory server in combination with the MySQL database.
> Reporter: Micha Kohl
> Assignee: Nick Couchman
> Priority: Major
> Fix For: 1.1.0
>
>
> From the documentation on user groups in 1.0.0 I expected to be able to
> manage user permissions via LDAP groups like this (using LDAP for
> authentication and MySQL for configuration management as documented
> [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]):
> # Create user group in MySQL with the name of a corresponding user group in
> the LDAP directory
> # Create connection in MySQL
> # Grant connection permission to the user group created in 1.
> # LDAP users that are part of the LDAP group (in the directory) are able to
> log in with their LDAP credentials and access that connection
> This does not work at all (the user does not even see the connection). In my
> attempt to narrow down the problem and ensure that I'm not just doing it
> wrong, I tested the following scenarios:
> # _Having just the LDAP group be mirrored in MySQL by creating an_
> _identically named one there_
> -> Login succeeds, but no associated connections are shown.
> # _Having both the LDAP group and the user be mirrored in MySQL by creating_
> _identically named entities there without manually linking the two (MySQL
> user is not part of MySQL user group)_
> -> Login succeeds and guacamole tries to auto-connect to the only available
> connection/shows all available connections and fails when trying to connect
> with a permission error.
> # _Having both the LDAP group and the user be mirrored in MySQL by creating_
> _identically named entities there and manually adding the MySQL user to the_
> _MySQL group_ _(MySQL user is part of MySQL user group)_
> -> Connections are established successfully.
> Either there seems to be a big misunderstanding regarding the way the new
> group system is supposed to work with LDAP, or there's something going wrong
> here. It goes without saying that scenario 3 completely eliminates the
> purpose of relying on existing LDAP groups. Scenario 1 is the configuration I
> outlined above that would allow managing connections based on LDAP groups
> without having to create any MySQL users whatsoever. Scenario 2 in
> combination with similar reports on the mailing list led me to believe that
> this is either based on a common misconception or there's a bug.
> Side-Note: While it has been suggested that this is already covered by
> GUACAMOLE-696, I think this could only be said if this turns out to be
> expected but poorly documented behavior.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
