guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hanks <griz...@gmail.com>
Subject Re: HTTP header auth + MySQL
Date Wed, 21 Mar 2018 21:12:12 GMT
I managed to get a different env variable set to the uid without the
kerberos realm with

    RewriteEngine on
    RewriteCond %{LA-U:REMOTE_USER} ^(.+)@.*$ [NC]
    RewriteRule ^.*$ - [E=SUNET_ID:%1]

and the result in the request is:

SUNET_ID = griznog

In guacamole.properties I added

http-auth-header: SUNET_ID

But authentication still fails and it looks like http-auth-header: is not
being honored as I can force the SUNET_ID variable to be set to any
arbitrary string, but the login failure still logs "griznog".

jbh

On Wed, Mar 21, 2018 at 1:32 PM, John Hanks <griznog@gmail.com> wrote:

> Hi Nick,
>
> I believe header authentication is loading properly, I see this in the
> logs:
>
> DEBUG o.a.g.extension.ExtensionModule - [0] Binding
> AuthenticationProvider "org.apache.guacamole.auth.hea
> der.HTTPHeaderAuthenticationProvider".
> INFO  o.a.g.extension.ExtensionModule - Extension "HTTP Header
> Authentication Extension" loaded.
>
> I set up an authenticated script to dump CGI environment using the same
> apache config and it shows
>
> REMOTE_USER = griznog@stanford.edu
>
> for my kerberos authenticated connections.
>
> I have created users in guacamole for griznog and griznog@stanford.edu
> (via the gui as guacadmin).
>
> A failed login attempt looks like this in the logs:
>
> server: 12:03:54.687 [http-apr-8080-exec-3] DEBUG
> o.a.i.t.jdbc.JdbcTransaction - Opening JDBC Connection
> server: 12:03:55.084 [http-apr-8080-exec-3] DEBUG
> o.a.i.d.pooled.PooledDataSource - Created connection 1290256496.
> server: 12:03:55.084 [http-apr-8080-exec-3] DEBUG
> o.a.i.d.pooled.PooledDataSource - Testing connection 1290256496 ...
> server: 12:03:55.087 [http-apr-8080-exec-3] DEBUG
> o.a.i.d.pooled.PooledDataSource - Connection 1290256496 is GOOD!
> server: 12:03:55.089 [http-apr-8080-exec-3] DEBUG
> o.a.g.a.j.user.UserMapper.selectOne - ==>  Preparing: SELECT
> guacamole_user.user_id, guacamole_user.username, password_hash,
> password_salt, password_date, disabled, expired, access_window_start,
> access_window_end, valid_from, valid_until, timezone, full_name,
> email_address, organization, organizational_role, MAX(start_date) AS
> last_active FROM guacamole_user LEFT JOIN guacamole_user_history ON
> guacamole_user_history.user_id = guacamole_user.user_id WHERE
> guacamole_user.username = ? GROUP BY guacamole_user.user_id
> server: 12:03:55.119 [http-apr-8080-exec-3] DEBUG
> o.a.g.a.j.user.UserMapper.selectOne - ==> Parameters: griznog(String)
> server: 12:03:55.146 [http-apr-8080-exec-3] DEBUG
> o.a.g.a.j.user.UserMapper.selectOne - <==      Total: 1
> server: 12:03:55.147 [http-apr-8080-exec-3] DEBUG
> o.a.i.t.jdbc.JdbcTransaction - Resetting autocommit to true on JDBC
> Connection [com.mysql.jdbc.JDBC4Connection@4ce7c070]
> server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG
> o.a.i.t.jdbc.JdbcTransaction - Closing JDBC Connection
> [com.mysql.jdbc.JDBC4Connection@4ce7c070]
> server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG
> o.a.i.d.pooled.PooledDataSource - Testing connection 1290256496 ...
> server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG
> o.a.i.d.pooled.PooledDataSource - Connection 1290256496 is GOOD!
> server: 12:03:55.148 [http-apr-8080-exec-3] DEBUG
> o.a.i.d.pooled.PooledDataSource - Returned connection 1290256496 to pool.
> server: 12:03:55.150 [http-apr-8080-exec-3] DEBUG
> o.a.g.a.f.FileAuthenticationProvider - User mapping file
> "/usr/share/tomcat/.guacamole/user-mapping.xml" does not exist and will
> not be read.
> server: 12:03:55.151 [http-apr-8080-exec-3] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from
> [10.210.255.254, ::1] for user "griznog" failed.
>
> I thought it might be that my REMOTE_USER has the kerberos realm attached
> and I've been trying to figure out how to user REMOTE_USER to set a
> different variable with @realm stripped off, but so far my attempts have
> failed.
>
> Thanks,
>
> jbh
>
>
>
> On Wed, Mar 21, 2018 at 9:59 AM, Nick Couchman <vnick@apache.org> wrote:
>
>> On Tue, Mar 20, 2018 at 6:39 PM, John Hanks <griznog@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have guacamole working with an Apache reverse proxy which does
>>> kerberos authentication and guacamole using HTTP header auth and mysql
>>> (mariaDB on CentOS 7). I'd like to have the user auth with apache and then
>>> have that accepted by guacamole but when I attempt connect in the logs I
>>> get:
>>>
>>> server: 15:27:03.592 [http-apr-8080-exec-3] WARN
>>> o.a.g.r.auth.AuthenticationService - Authentication attempt from
>>> [10.210.255.254, ::1] for user "griznog" failed.
>>> server: 15:27:09.804 [http-apr-8080-exec-7] WARN
>>> o.a.g.r.auth.AuthenticationService - Authentication attempt from
>>> [10.210.255.254, ::1] for user "griznog" failed.
>>>
>>> I then get the guacamole login screen and can log in with the password
>>> set in the users entry in the database. I've tried with an empty password
>>> in the database entry for the user, but that fails as well, however with
>>> only one warning in the logs.
>>>
>>> What I would like to do is to have the database just used to store
>>> user/connection info and let the web proxy handle all the authentication.
>>> Is that possible and if so, how do I configure that?
>>>
>>>
>> Do you have the header authentication extension loaded?  Can you verify
>> in your logs that it is loading correctly?
>>
>> Also, if the user is being passed through with some header other than
>> REMOTE_USER, you'll need to configure the header name that is used by the
>> header extension.  See:
>> http://guacamole.apache.org/doc/gug/header-auth.html
>>
>> If you've verified that it's loading, and you're still having issues,
>> then you'll need to post logs and probably your Apache httpd configs back
>> here so we can try to help figure out what's going on.
>>
>> -Nick
>>
>
>

Mime
View raw message