guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Radius
Date Tue, 17 Apr 2018 19:07:43 GMT
On Tue, Apr 17, 2018 at 7:08 AM, Nick Couchman <vnick@apache.org> wrote:

> On Tue, Apr 17, 2018 at 12:15 AM, Mike Jumper <mike.jumper@guac-dev.org>
> wrote:
>
>> On Mon, Apr 16, 2018 at 7:27 PM, Fertig, Brian <brian.fertig@philips.com>
>> wrote:
>>
>>> Mike,
>>>
>>>
>>>
>>>   Once again you and your team are awesome!
>>>
>>
>> Thanks, but to be clear: Apache Guacamole is developed by a community,
>> not by any individual's team.
>>
>> So I have mysql then failover to radius setup for authentication.  By
>>> leaving mysql 1st and the user trying to authenticate its not going to
>>> cause conflicts is it?
>>>
>>
>> No, this shouldn't conflict. All extensions will be polled during the
>> authentication process. If any authentication attempt succeeds, that
>> successful attempt is used to identify the user to all other installed
>> extensions. If all attempts fail, then the first failed attempt determines
>> the nature of the login screen presented to the user.
>>
>
> I did see an issue, at one point, where the RADIUS module needed to be
> loaded before other modules in order to work.  I don't remember the
> specific circumstances, but it seems like if authentication failed for a
> user in one of the previous modules the RADIUS module would not even been
> evaluated.  I don't know if this is a bug that should be addressed or just
> an artifact of how the module stacking works with RADIUS, but, if you run
> into issues with this, you might try renaming the RADIUS authentication
> module and reloading Guacamole Client (Tomcat) so that it loads the RADIUS
> module, first.  In my case, I just put a 0 in front of radius -
> guacamole-auth-0-radius.jar - to force it to authenticate with that
> extension before the others.
>

I'm not sure what might be happening to produce that result. The relevant
code handling that part of the auth process is:

https://github.com/apache/guacamole-client/blob/aac9d8795cb257b259259097fff8c540439d746b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java#L163-L179

Each auth provider is tried, in order, with any successful result
overriding the error results of all other auth providers. If no result is
successful, then the first authentication-related exception is rethrown,
defaulting to a standard username/password prompt if there aren't any
explicit failures.

Any non-authentication exception will immediately halt the process, though.

- Mike

Mime
View raw message