[
https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822524#comment-16822524
]
Michael Jumper commented on GUACAMOLE-715:
------------------------------------------
{quote}
Works fine with PostgreSQL, not sure about SQL Server, though Michael Jumper
may have verified that one works correctly earlier?
{quote}
Yep.
{quote}
Guessing there is some nuance related to the MySQL query or the way it returns
results that is causing the MySQL JDBC module to fail, but more investigation
needed.
{quote}
It's possible that there's something wrong with the MySQL-specific query. I'll
test the procedure you list above.
What specific MySQL version are you using in your case?
> Permission management based on LDAP groups not working as documented
> --------------------------------------------------------------------
>
> Key: GUACAMOLE-715
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-715
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap
> Affects Versions: 1.0.0
> Environment: I'm running guacamole in a docker environment using the
> official base images and a MySQL database. Users are authenticated against an
> Active Directory server in combination with the MySQL database.
> Reporter: Micha Kohl
> Assignee: Nick Couchman
> Priority: Major
> Fix For: 1.1.0
>
>
> From the documentation on user groups in 1.0.0 I expected to be able to
> manage user permissions via LDAP groups like this (using LDAP for
> authentication and MySQL for configuration management as documented
> [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]):
> # Create user group in MySQL with the name of a corresponding user group in
> the LDAP directory
> # Create connection in MySQL
> # Grant connection permission to the user group created in 1.
> # LDAP users that are part of the LDAP group (in the directory) are able to
> log in with their LDAP credentials and access that connection
> This does not work at all (the user does not even see the connection). In my
> attempt to narrow down the problem and ensure that I'm not just doing it
> wrong, I tested the following scenarios:
> # _Having just the LDAP group be mirrored in MySQL by creating an_
> _identically named one there_
> -> Login succeeds, but no associated connections are shown.
> # _Having both the LDAP group and the user be mirrored in MySQL by creating_
> _identically named entities there without manually linking the two (MySQL
> user is not part of MySQL user group)_
> -> Login succeeds and guacamole tries to auto-connect to the only available
> connection/shows all available connections and fails when trying to connect
> with a permission error.
> # _Having both the LDAP group and the user be mirrored in MySQL by creating_
> _identically named entities there and manually adding the MySQL user to the_
> _MySQL group_ _(MySQL user is part of MySQL user group)_
> -> Connections are established successfully.
> Either there seems to be a big misunderstanding regarding the way the new
> group system is supposed to work with LDAP, or there's something going wrong
> here. It goes without saying that scenario 3 completely eliminates the
> purpose of relying on existing LDAP groups. Scenario 1 is the configuration I
> outlined above that would allow managing connections based on LDAP groups
> without having to create any MySQL users whatsoever. Scenario 2 in
> combination with similar reports on the mailing list led me to believe that
> this is either based on a common misconception or there's a bug.
> Side-Note: While it has been suggested that this is already covered by
> GUACAMOLE-696, I think this could only be said if this turns out to be
> expected but poorly documented behavior.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
