guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitry Katsubo <dm...@mail.ru>
Subject Setting up HTTP header authentication
Date Tue, 19 Mar 2019 23:56:13 GMT
Dear Guacamole community,

I have difficulties with setting up HTTP header authenticator. I have read the manual ([1])
but I still cannot make it working.

First of all I am not sure if I should set "auth-provider" property in /etc/guacamole/guacamole.properties,
e.g. do I need to add:

auth-provider: org.apache.guacamole.auth.header.HTTPHeaderAuthenticationProvider

?

If I leave it unset, I get the following log:

20:38:21.077 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - Loading extension:
"guacamole-auth-header-1.0.0.jar"
20:38:21.708 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "HTTP
Header Authentication Extension" loaded.
20:38:21.914 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - Binding AuthenticationProvider
"org.apache.guacamole.auth.file.FileAuthenticationProvider".
...
20:38:35.919 [http-nio-127.0.0.1-8080-exec-5] INFO  o.a.g.r.auth.AuthenticationService - User
"admin" successfully authenticated from [10.14.1.22, 127.0.0.1].
20:38:35.922 [http-nio-127.0.0.1-8080-exec-5] DEBUG o.a.g.a.f.FileAuthenticationProvider -
Reading user mapping file: "/etc/guacamole/user-mapping.xml"
20:38:35.949 [http-nio-127.0.0.1-8080-exec-5] DEBUG o.a.g.r.auth.AuthenticationService - Login
was successful for user "admin".

and after I open Guacamole I see "admin" user name in right top corner (hence HTTP header
authenticator worked OK), but I am not automatically connected to the server. I suppose I
need to add an entry
to /etc/guacamole/user-mapping.xml, so I did:

<user-mapping>
    <authorize username="admin">
        <connection name="vnc">
            <protocol>vnc</protocol>
            <param name="hostname">vncserver</param>
            <param name="port">5901</param>
            <param name="password">secret</param>
            <param name="clipboard-encoding">UTF-8</param>
        </connection>
    </authorize>
</user-mapping>

but that does not help (same result after restarting Tomcat). What I want to achieve is that
authenticated user is automatically connected to VNC server.

Another note concerning the structure of user-mapping.xml. [2] reads the following:

  Each user is specified with a corresponding <authorize> tag. This tag contains all
authorized connections for that user, each denoted with a <connection> tag.

however one page before it provides an example where <authorize> tag not necessarily
contains <connection>:

<authorize username="USERNAME" password="PASSWORD">
    <protocol>vnc</protocol>
    <param name="hostname">localhost</param>
    <param name="port">5900</param>
    <param name="password">VNCPASS</param>
</authorize>

So what is the rule: should <authorize> contain <connection>s tags or can it also
describe one connection?

Addendum:

The connection prerequisites are certainly correct, as before I was using NoAuth provider
without any complications:

11:40:29.188 [localhost-startStop-1] DEBUG o.a.g.extension.ExtensionModule - Loading extension:
"guacamole-auth-noauth-1.0.0.jar"
11:40:29.319 [localhost-startStop-1] INFO  o.a.g.extension.ExtensionModule - Extension "Disabled
Authentication" loaded.
...
12:16:52.343 [http-nio-127.0.0.1-8080-exec-3] INFO  o.a.g.r.auth.AuthenticationService - User
"admin" successfully authenticated from [10.14.1.22, 127.0.0.1].
12:16:52.356 [http-nio-127.0.0.1-8080-exec-3] DEBUG o.a.g.a.n.NoAuthenticationProvider - Configuration
file "/etc/guacamole/noauth-config.xml" has been modified.
12:16:52.356 [http-nio-127.0.0.1-8080-exec-3] DEBUG o.a.g.a.n.NoAuthenticationProvider - Reading
configuration file: "/etc/guacamole/noauth-config.xml"
12:16:52.441 [http-nio-127.0.0.1-8080-exec-3] DEBUG o.a.g.r.auth.AuthenticationService - Login
was successful for user "admin".
12:16:53.708 [http-nio-127.0.0.1-8080-exec-12] DEBUG o.a.g.net.InetGuacamoleSocket - Connecting
to guacd at localhost:4822.
12:16:53.884 [http-nio-127.0.0.1-8080-exec-12] INFO  o.a.g.tunnel.TunnelRequestService - User
"admin" connected to connection "localhost".

[1] http://guacamole.apache.org/doc/gug/header-auth.html
[2] http://guacamole.apache.org/doc/gug/configuring-guacamole.html#basic-auth

Thanks for any help in advance.

-- 
With best regards,
Dmitry

Mime
View raw message