0.9.12 issue with LDAP host groups

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

0.9.12 issue with LDAP host groups

evan.hisey
I am using the Docker guacamole containers for 0.9.12 and have them correctly authenticating to LDAP, however only one user in a guacamole host group  is recognized as having access to a host rdp. To wit

LDAP HOST GROUP:
dn: cn=cee-rdp,cn=groups,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=gov
objectClass: guacConfigGroup
objectClass: nestedGroup
objectClass: groupOfNames
objectClass: posixGroup
objectClass: ipaUserGroup
objectClass: top
objectClass: ipaObject
cn: cee-rdp
gidNumber: 1370800062
guacConfigProtocol: rdp
ipaUniqueID: 4bd337f4-5ac6-11e7-a3b2-0050568843ac
guacConfigParameter: hostname=nwcal-cee-ti1.nwc.nws.noaa.gov
member: uid=evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=
 gov
member: uid=alt-evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa
 ,dc=gov

Console output of container when users login:
20:11:09.908 [http-nio-8080-exec-3] INFO  o.a.g.r.auth.AuthenticationService - User "alt-evan.hisey" successfully authenticated from 10.3.0.30.
20:11:10.150 [http-nio-8080-exec-3] WARN  o.a.g.a.l.c.ConnectionService - guacConfigGroup "cee-rdp" is missing the required "guacConfigProtocol" attribute.
20:11:10.150 [http-nio-8080-exec-3] WARN  o.a.g.a.l.c.ConnectionService - guacConfigGroup "common-dev1-rdp" is missing the required "guacConfigProtocol" attribute.
20:11:19.820 [http-nio-8080-exec-10] INFO  o.a.g.r.auth.AuthenticationService - User "evan.hisey" successfully authenticated from 10.3.0.30.
20:11:20.556 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService - User "evan.hisey" connected to connection "cee-rdp".

Both users are in the correct host group, but only the second user actually gets the guacConfigProtocol.  I am at a bit of a lose as to what could be causing this.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 0.9.12 issue with LDAP host groups

Mike Jumper
What happens if you query the LDAP directory as each of the users in
question, listing all guacConfigGroup objects?

When a user authenticates with Guacamole via LDAP, Guacamole will
attempt to bind to the LDAP directory using that user's credentials,
and the query retrieving available connections will be executed as
that LDAP user. If something is causing the results of those queries
to be different depending on the user, perhaps running similar queries
as those users manually using a standard LDAP utility will be
revealing.

- Mike


On Wed, Jul 5, 2017 at 12:54 PM, evan.hisey <[hidden email]> wrote:

> I am using the Docker guacamole containers for 0.9.12 and have them correctly
> authenticating to LDAP, however only one user in a guacamole host group  is
> recognized as having access to a host rdp. To wit
>
> LDAP HOST GROUP:
> dn: cn=cee-rdp,cn=groups,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=gov
> objectClass: guacConfigGroup
> objectClass: nestedGroup
> objectClass: groupOfNames
> objectClass: posixGroup
> objectClass: ipaUserGroup
> objectClass: top
> objectClass: ipaObject
> cn: cee-rdp
> gidNumber: 1370800062
> guacConfigProtocol: rdp
> ipaUniqueID: 4bd337f4-5ac6-11e7-a3b2-0050568843ac
> guacConfigParameter: hostname=nwcal-cee-ti1.nwc.nws.noaa.gov
> member: uid=evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa,dc=
>  gov
> member: uid=alt-evan.hisey,cn=users,cn=accounts,dc=idm,dc=nwc,dc=nws,dc=noaa
>  ,dc=gov
>
> Console output of container when users login:
> 20:11:09.908 [http-nio-8080-exec-3] INFO  o.a.g.r.auth.AuthenticationService
> - User "alt-evan.hisey" successfully authenticated from 10.3.0.30.
> 20:11:10.150 [http-nio-8080-exec-3] WARN  o.a.g.a.l.c.ConnectionService -
> guacConfigGroup "cee-rdp" is missing the required "guacConfigProtocol"
> attribute.
> 20:11:10.150 [http-nio-8080-exec-3] WARN  o.a.g.a.l.c.ConnectionService -
> guacConfigGroup "common-dev1-rdp" is missing the required
> "guacConfigProtocol" attribute.
> 20:11:19.820 [http-nio-8080-exec-10] INFO
> o.a.g.r.auth.AuthenticationService - User "evan.hisey" successfully
> authenticated from 10.3.0.30.
> 20:11:20.556 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService
> - User "evan.hisey" connected to connection "cee-rdp".
>
> Both users are in the correct host group, but only the second user actually
> gets the guacConfigProtocol.  I am at a bit of a lose as to what could be
> causing this.
>
>
>
> --
> View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/0-9-12-issue-with-LDAP-host-groups-tp1261.html
> Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Loading...