[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16826460#comment-16826460 ] Nick Couchman commented on GUACAMOLE-715: - [~dchuha]: Okay, Mike's updated query for older MySQL versions has been merged into the staging/1.1.0 branch as well as master, so this should be fixed in the git code. It'll also be fixed in 1.1.0 when that gets released. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Michael Jumper >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822613#comment-16822613 ] Michael Jumper commented on GUACAMOLE-715: -- It's also with noting that the non-recursive query is also written to assume the group will have at least one explicit member in the database due to a {{JOIN}} on the {{guacamole_user_group_member}} table. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822611#comment-16822611 ] Michael Jumper commented on GUACAMOLE-715: -- The specific query that's failing is {{selectEffectiveGroupIdentifiers}} within {{EntityMapper.xml}}. In the MySQL mapping, this query has two implementations based on whether recursive queries are supported. The non-recursive implementation is failing because it assumes the entity ID will exist (which it doesn't for an LDAP-only user) and is written to only return those groups which explicitly include that entity as a member. This is probably incorrect and should additionally include the groups that are passed in, whether or not those groups explicitly include the current entity. The recursive query is _not_ failing because it always includes the groups that are explicitly passed in via a {{UNION}} in the query. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822609#comment-16822609 ] Michael Jumper commented on GUACAMOLE-715: -- OK - manually overriding the database detection such that my newer MariaDB is handled as if it lacked support for CTEs, I now get the same permission denied result. It looks like there must be a problem with the non-recursive fallback query used for testing user group membership when the MySQL / MariaDB version does not support recursive queries. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822607#comment-16822607 ] Michael Jumper commented on GUACAMOLE-715: -- {quote} {code:none} 21:19:48.879 [http-nio-8080-exec-38] DEBUG o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket tunnel. org.apache.guacamole.GuacamoleSecurityException: Permission denied. at org.apache.guacamole.auth.jdbc.connection.ConnectionService.connect(ConnectionService.java:522) ... {code} {quote} That particular exception is thrown after falling through due to explicit "READ" permission not being found on the user accessing the connection: {code:java} // Connect only if READ permission is granted if (hasObjectPermission(user, connection.getIdentifier(), ObjectPermission.Type.READ)) return tunnelService.getGuacamoleTunnel(user, connection, info, tokens); // The user does not have permission to connect throw new GuacamoleSecurityException("Permission denied."); {code} Tested quickly with my local dev environment with a build from master, MariaDB 10.2.19, and Fedora 28, and things are working. I guess I'll have to retry with the exact same versions as you mentioned and see if it's reproducible. In your case, there's no other difference between failure and success other than MySQL being used? Same LDAP server, same ldap-* properties, same group, same explicit READ permission grant in the DB, etc.? > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822600#comment-16822600 ] Nick Couchman commented on GUACAMOLE-715: - {quote} What specific MySQL version are you using in your case? {quote} * CentOS 7 * MariaDB 5.5.60-1.el7_5 * MySQL Java Connector 5.1.25-3.el7 > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822524#comment-16822524 ] Michael Jumper commented on GUACAMOLE-715: -- {quote} Works fine with PostgreSQL, not sure about SQL Server, though Michael Jumper may have verified that one works correctly earlier? {quote} Yep. {quote} Guessing there is some nuance related to the MySQL query or the way it returns results that is causing the MySQL JDBC module to fail, but more investigation needed. {quote} It's possible that there's something wrong with the MySQL-specific query. I'll test the procedure you list above. What specific MySQL version are you using in your case? > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822275#comment-16822275 ] Nick Couchman commented on GUACAMOLE-715: - [~dchuha]: Okay, something is different between PostgreSQL and MySQL. I'm unable to reproduce this at all with PostgreSQL, even with a clean DB/install, but I can reproduce it with MySQL. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822141#comment-16822141 ] Nick Couchman commented on GUACAMOLE-715: - [~dchuha]: Well, I tried it both ways, and still cannot reproduce the issue you're seeing. Previously there were a couple of JDBC groups that did have members, even though they weren't guacadmin or any of my LDAP users. However, I removed all groups such that I now have an empty guacamole_user_group_member table: {code} psql (9.2.24) Type "help" for help. guac=> select * from guacamole_user_group_member; user_group_id | member_entity_id ---+-- (0 rows) guac=> SELECT guac-> guacamole_entity.name guac-> FROM guacamole_user_group guac-> JOIN guacamole_entity ON guacamole_user_group.entity_id = guacamole_entity.entity_id guac-> JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id; name -- (0 rows) {code} And it still works fine for me with an LDAP user that is not defined in the JDBC extension, but a LDAP group that is defined in JDBC extension. I can both see the connections and actually connect to them - no errors or other issues. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16822088#comment-16822088 ] David Chuha commented on GUACAMOLE-715: --- [~nick.couch...@yahoo.com]: Thank you. I think adding guacadmin to the group is a valid workaround for me for now. I'm curious, do you get an empty set back when you query guacamole_user_group_member? This returns an empty set for me since I don't have JDBC users in any of my JDBC groups. {noformat} select * from guacamole_user_group_member;{noformat} Which then makes this query return an empty set as well (from selectEffectiveGroupIdentifiers). {noformat} SELECT guacamole_entity.name FROM guacamole_user_group JOIN guacamole_entity ON guacamole_user_group.entity_id = guacamole_entity.entity_id JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id;{noformat} But adding any user to the group in question causes it to return properly for me (or changing the query to a left join). You noted you are doing your testing with postgresql and I'm using mysql. I was wondering if there could be a difference there. However, from the EntityMapper.xml, both look to have the constraint on guacamole_user_group_member in the query for selectEffectiveGroupIdentifiers. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16821994#comment-16821994 ] David Chuha commented on GUACAMOLE-715: --- [~nick.couch...@yahoo.com]: I believe I've found the issue. From the debug log during the (sanitized): {noformat} 17:44:11.240 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Preparing: SELECT guacamole_entity.name FROM guacamole_user_group JOIN guacamole_entity ON guacamole_user_group.entity_id = guacamole_entity.entity_id JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id WHERE guacamole_user_group.disabled = false AND ( guacamole_user_group_member.member_entity_id = ? OR guacamole_user_group_member.member_entity_id IN ( SELECT entity_id FROM guacamole_entity WHERE type = 'USER_GROUP' AND name IN ( ? , ? , ? ) ) OR guacamole_user_group.entity_id IN ( SELECT entity_id FROM guacamole_entity WHERE type = 'USER_GROUP' AND name IN ( ? , ? , ? ) ) ) 17:44:11.241 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - ==> Parameters: null, test-rdp-users-1(String), test-rdp-users-2(String), test-rdp-users-3(String), test-rdp-users-1(String), test-rdp-users-2(String), test-rdp-users-3(String) 17:44:11.249 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.b.E.selectEffectiveGroupIdentifiers - <== Total: 0 17:44:11.249 [http-bio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public java.util.Set org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions,java.util.Collection)] - SqlSession of thread: 27 committing 17:44:11.249 [http-bio-8080-exec-10] DEBUG o.m.g.t.TransactionalMethodInterceptor - [Intercepted method: public java.util.Set org.apache.guacamole.auth.jdbc.base.EntityService.retrieveEffectiveGroups(org.apache.guacamole.auth.jdbc.base.ModeledPermissions,java.util.Collection)] - SqlSession of thread: 27 terminated its life-cycle, closing it 17:44:11.249 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC Connection [com.mysql.jdbc.JDBC4Connection@698b9337] 17:44:11.254 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection [com.mysql.jdbc.JDBC4Connection@698b9337] 17:44:11.254 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1770754871 ... 17:44:11.258 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1770754871 is GOOD! 17:44:11.258 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Returned connection 1770754871 to pool. 17:44:11.259 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection 17:44:11.259 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Checked out connection 1154201441 from pool. 17:44:11.259 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Testing connection 1154201441 ... 17:44:11.264 [http-bio-8080-exec-10] DEBUG o.a.i.d.pooled.PooledDataSource - Connection 1154201441 is GOOD! 17:44:11.264 [http-bio-8080-exec-10] DEBUG o.a.i.t.jdbc.JdbcTransaction - Setting autocommit to false on JDBC Connection [com.mysql.jdbc.JDBC4Connection@44cbb761] 17:44:11.268 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.p.S.selectOne - ==> Preparing: SELECT DISTINCT ? AS entity_id, permission FROM guacamole_system_permission WHERE ( entity_id = ? ) AND permission = ? 17:44:11.268 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.p.S.selectOne - ==> Parameters: null, null, ADMINISTER(String) 17:44:11.273 [http-bio-8080-exec-10] DEBUG o.a.g.a.j.p.S.selectOne - <== Total: 0{noformat} The select statement is returning zero results. The issue is that I do not have any JDBC users assigned to the groups specified and so the part of the join with guacamole_user_group_member fails as there are no matches. If I add at least one JDBC user to the JDBC group, it works. So a valid workaround is to add guacadmin to each JDBC group created. In that scenario, the LDAP user does not need to be created in JDBC or assigned to JDBC groups and everything works correctly. Alternatively, if we make the join with guacamole_user_group_member a left join, it works properly. {noformat} SELECT guacamole_entity.name FROM guacamole_user_group JOIN guacamole_entity ON guacamole_user_group.entity_id = guacamole_entity.entity_id LEFT JOIN guacamole_user_group_member ON guacamole_user_group.user_group_id = guacamole_user_group_member.user_group_id{noformat} I don't know the code base well enough to determine if that is the right approach or if we can even just get rid of the join to guacamole_user_group_member. It's columns aren't used in this query but I'm guessing it was done to filter out jdbc groups that aren't in use which isn't
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16821425#comment-16821425 ] Nick Couchman commented on GUACAMOLE-715: - [~dchuha]: Thanks for confirming. Unfortunately I'm still unable to reproduce this issue, at least with a native install. I'll continue to try out a few things to see what happens. It is odd that you're able to see the connections within the web interface, but you get the error when trying to establish the tunnel - I'm not really sure what to make of that. I'll continue poking at it to try to find what fails. Can you post your full catalina.out file somewhere - attach here, or pastebin.com, something like that? If you need to redact stuff, please do that, but it'd be good to see the full set of messages (in debug mode). > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16821214#comment-16821214 ] David Chuha commented on GUACAMOLE-715: --- [~nick.couch...@yahoo.com], yes I am able to connect without the permissions error under the following scenarios: # Using guacadmin # Using an LDAP account that has been assigned JDBC permissions as administrator # Using an LDAP account that has been assigned explicit permissions to a resource using JDBC # Using an LDAP account that has been assigned to a JDBC group that has been assigned permission to a resource Note that under 1.0.0 I wasn't able to even see the connections under the scenario discussed in this ticket (LDAP user in an LDAP group named identically to a JDBC group that has been assigned permissions to a resource) which at least that part has been fixed for me. Also, I am using a large/complex active directory and was affected by GUACAMOLE-702 (which does fix the login issue) and would also benefit from the fixes in GUACAMOLE-234. Just in case the 1000 result search limit could be affecting this, I restricted the search base and filter enough so that I am not seeing the search limit exceeded errors but I continue to get the permission error. I'm also going to setup a second test instance and database and see if I get any different results. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16820552#comment-16820552 ] David Chuha commented on GUACAMOLE-715: --- I'm seeing the permission denied error as well following the steps above: "You do not have permission to access this connection. If you require access, please ask your system administrator to add you the list of allowed users, or check your system settings." And from the log file: {noformat} server: 12:59:35.419 [http-bio-8443-exec-10] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: Permission denied. server: 12:59:35.537 [http-bio-8443-exec-4] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: Permission denied.{noformat} I am using the MySQL jdbc extension and my steps to reproduce are: # Clone guacamole-client git repo # Using master # Build with "mvn clean package" # Copy MySQL extension and LDAP extension into /etc/guacamole/extensions folder and configure guacamole.properties. # Copy guacamole.war file to tomcat webapps folder and start tomcat # Log in with guacadmin. # Configure connections # Create a group in JDBC that matches a group in LDAP # Assign connection to the created group # Log out and log in with LDAP user that is a member of the group created in JDBC # Connections are visible # When connecting, permission error occurs Per Tim's comments, I tried dropping all the database and imported a fresh schema which did not resolve the issue. Nick, I also tried merging in the pull request for GUACAMOLE-696 which also did not resolve the issue. My ideal state is as above with no local JDBC user created but even with a local JDBC user created, I get the permission denied error until I explicitly the JDBC user to the JDBC group. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16816559#comment-16816559 ] Michael Jumper commented on GUACAMOLE-715: -- {quote} I can confirm that, not only are they visible, but I can connect to them. {quote} Just retried this myself and can confirm the same. All seems to be working. I did the following: # Set up a fresh Guacamole install with SQL Server auth and LDAP pointed at Active Directory # Initialized the database with the schema and guacadmin user # Created a test group, test user, and corresponding guacadmin user in Active Directory. # Added the test user to the test group within Active Directory only. # Logged in to Guacamole using guacadmin and the password specific to Active Directory # Created a new connection and granted access to that connection to the test group. # Logged out and back in as the test user. At that point, I am automatically and successfully connected to the connection I created. {quote} I am not running Docker, I am installing natively. {quote} Same, though there shouldn't be any difference so long as the images were rebuilt. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16816293#comment-16816293 ] Nick Couchman commented on GUACAMOLE-715: - {quote} In step 10, can you use the connections that are visible. The connections are visible under that state in 1.0.0, but you get permission denied when connecting. {quote} I can confirm that, not only are they visible, but I can connect to them. {quote} We're running this in docker, and building there so everything is clean, and with mysql not postgres, and the test was performed on master not staging/1.1.0. I'm just retrying with staging/1.1.0. {quote} All of the staging/1.1.0 changes should also be in master, so either one should work. I've confirmed that the master branch includes the GUACAMOLE-715 changes, so should not be a problem there. I'll try the master branch, here, shortly, to make sure. I am not running Docker, I am installing natively. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16816290#comment-16816290 ] Tim Collins commented on GUACAMOLE-715: --- Retried with staging/1.1.0 and we get the same result. We see the connections available, but do not have permission when clicking on them. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16816245#comment-16816245 ] Nick Couchman commented on GUACAMOLE-715: - I can confirm that this fix works as intended. Here are my steps to reproduce: # Clone guacamole-client git repo # Check out staging/1.1.0 branch # Build with "mvn clean package" # Copy PostgreSQL extension and LDAP extension into /etc/guacamole/extensions folder and configure guacamole.properties. # Log in with guacadmin. # Configure connections # Create a group in JDBC that matches a group in LDAP # Assign connection to the created group # Log out and log in with LDAP user that is a member of the group created in JDBC # Connections are visible I'd say retest and make sure that: * You're cleaning prior to building the code (mvn clean package) * You're not just replacing the Guacamole WAR but the extension files, as well > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16816235#comment-16816235 ] Tim Collins commented on GUACAMOLE-715: --- Hello there. I've just pulled the latest build and the scenario below is still not possible without the user being a member of both the MYSQL and LDAP groups. [~nick.couch...@yahoo.com] would you be able to confirm whether or not your fix is intended to resolve that? {quote}The following works: # User in both LDAP and database # Permission granted to group only in database # User added to group only in LDAP{quote} > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Assignee: Nick Couchman >Priority: Major > Fix For: 1.1.0 > > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16752243#comment-16752243 ] Joel Best commented on GUACAMOLE-715: - {quote}The following works: # User in both LDAP and database # Permission granted to group only in database # User added to group only in LDAP{quote} I haven't been able to get this to work. In my testing I found the user had to be a member of both the MySQL group and the LDAP group in order for the connections to appear. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Priority: Major > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751893#comment-16751893 ] Michael Jumper commented on GUACAMOLE-715: -- This behavior is the result of code in {{JDBCAuthenticationProviderService}} which was not updated to take groups into account: https://github.com/apache/guacamole-client/blob/d1e928bea79ca81c827e9b6adedabc98eefdf701/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/JDBCAuthenticationProviderService.java#L97-L138 The login process tests whether database data is applicable by querying based on username alone. If no user account exists, the database isn't used for the session. This needs to be updated such that things will work so long as applicable groups exist, or perhaps to not depend on the user or group existing at auth time. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Priority: Major > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-715) Permission management based on LDAP groups not working as documented
[ https://issues.apache.org/jira/browse/GUACAMOLE-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16751891#comment-16751891 ] Michael Jumper commented on GUACAMOLE-715: -- This is indeed a bug and is not the same as GUACAMOLE-696. Group membership should work as described above, however when combining LDAP with a database the membership seems to only take proper effect if the user exists in both LDAP and the database. The following works: # User in both LDAP and database # Permission granted to group only in database # User added to group only in LDAP The following *doesn't* work: # User in LDAP only # Permission granted to group only in database # User added to group only in LDAP Something in the permission handling on the database side must still be assuming that a database user will exist. > Permission management based on LDAP groups not working as documented > > > Key: GUACAMOLE-715 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-715 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap >Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. >Reporter: Micha Kohl >Priority: Major > > From the documentation on user groups in 1.0.0 I expected to be able to > manage user permissions via LDAP groups like this (using LDAP for > authentication and MySQL for configuration management as documented > [here|https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database]): > # Create user group in MySQL with the name of a corresponding user group in > the LDAP directory > # Create connection in MySQL > # Grant connection permission to the user group created in 1. > # LDAP users that are part of the LDAP group (in the directory) are able to > log in with their LDAP credentials and access that connection > This does not work at all (the user does not even see the connection). In my > attempt to narrow down the problem and ensure that I'm not just doing it > wrong, I tested the following scenarios: > # _Having just the LDAP group be mirrored in MySQL by creating an_ > _identically named one there_ > -> Login succeeds, but no associated connections are shown. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there without manually linking the two (MySQL > user is not part of MySQL user group)_ > -> Login succeeds and guacamole tries to auto-connect to the only available > connection/shows all available connections and fails when trying to connect > with a permission error. > # _Having both the LDAP group and the user be mirrored in MySQL by creating_ > _identically named entities there and manually adding the MySQL user to the_ > _MySQL group_ _(MySQL user is part of MySQL user group)_ > -> Connections are established successfully. > Either there seems to be a big misunderstanding regarding the way the new > group system is supposed to work with LDAP, or there's something going wrong > here. It goes without saying that scenario 3 completely eliminates the > purpose of relying on existing LDAP groups. Scenario 1 is the configuration I > outlined above that would allow managing connections based on LDAP groups > without having to create any MySQL users whatsoever. Scenario 2 in > combination with similar reports on the mailing list led me to believe that > this is either based on a common misconception or there's a bug. > Side-Note: While it has been suggested that this is already covered by > GUACAMOLE-696, I think this could only be said if this turns out to be > expected but poorly documented behavior. -- This message was sent by Atlassian JIRA (v7.6.3#76005)