guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: guacamole radius
Date Sun, 24 Feb 2019 12:19:15 GMT
On Sun, Feb 24, 2019 at 12:01 AM drhy <dyoung@huntergroup.co.nz> wrote:

> Hi Nick,
>
> A further clarification from PlayerOne and myself.
>
> We have been testing Radius with MySQL and have been able to successfully
> configure a Guacamole Group with Connections attached to it. When we then
> make Guacamole Users members of that Group, only the Users who are
> Guacamole
> Administrators see the Group's Connections. So in practice ordinary
> (non-Admin) Users don't see any Connections. (The Users and the Group match
> the User, Group and Group membership in Active Directory.)
>

It's probably related to one of two currently opened issues:

https://issues.apache.org/jira/browse/GUACAMOLE-696
https://issues.apache.org/jira/browse/GUACAMOLE-715

The first issue deals with the fact that group permissions within the
database are not applied to users authenticated under a different
extensions.  So, for example if you have "Group 1" in JDBC, with "User 1"
as a member of that group, you've assigned permissions to "Group 1" for a
certain connection, and "User 1" authenticates with RADIUS, the permissions
assigned to "Group 1" will *not* be applied.  This is a slight nuance in
how permissions are applied, and will likely be tweaked to function more
how people expect it to work in 1.1.0.  In 1.0.0, you'd have to have "Group
1" present in the RADIUS extension (which doesn't do groups at all, so that
would be difficult), or you'd have to assign permissions directly to "User
1" in the JDBC module.

The second issue is a bug that requires that, for groups matched between
authentication extensions (specifically between LDAP and JDBC), users are
not given permissions of their group unless they already exist in the JDBC
extension.  This is unintended behavior, and should also be corrected in
1.1.0.

I suspect the scenario you're hitting is the one documented in 696.

-Nick

Mime
View raw message