Re: guacamole radius

[drhy <dy...@huntergroup.co.nz>]

Hi Nick,

A small issue I have spotted in my testing of the Master/released version of
1.0.0 with Radius and JDBC/MySQL. The Radius to MySQL hand-off works
perfectly as discussed in this thread, for Users who have directly linked
Connections in MySQL, but where Users in MySQL are linked to a Group which
in turn hold the Connections, then the User is successfully authenticated
but then sees no connections.

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: guacamole radius

[Nick Couchman <vn...@apache.org>]

On Mon, Feb 25, 2019 at 6:38 PM drhy <dy...@huntergroup.co.nz> wrote:

> Hi Nick,
>
> Please be assured that the Radius module in its current form is fantastic -
> thanks to all those authoring and testing it. But being a typical user, I'm
> a little greedy....
>
> Are you saying that the Radius module cannot now, and for 1.1.0 won't be,
> returning Radius (and hence Active Directory) groups for the
> Radius-authenticated user, and therefore doesn't pass groups on to the JDBC
> module ?
>
>
- The RADIUS module does not support any user groups, nor will it in 1.1.0.
- However, the issues that I referenced impacting how users are mapped to
groups will get implemented and/or fixed in 1.1.0.  So, once 1.1.0 comes
out you should be able to create users in the JDBC module, add them to
groups, and then log in with another module and have the group-assigned
permissions take effect.

-Nick

Re: guacamole radius

[drhy <dy...@huntergroup.co.nz>]

Hi Nick,

Please be assured that the Radius module in its current form is fantastic -
thanks to all those authoring and testing it. But being a typical user, I'm
a little greedy....

Are you saying that the Radius module cannot now, and for 1.1.0 won't be,
returning Radius (and hence Active Directory) groups for the
Radius-authenticated user, and therefore doesn't pass groups on to the JDBC
module ?

Thanks again.

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: guacamole radius

[PlayerOne <lb...@akdmc.com>]

vnick wrote
> or you'd have to assign permissions directly to "User 1" in the JDBC
> module

In my testing so far this is exactly what I'm experiencing. Permissions only
work if connections are assigned to users. 



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: guacamole radius

[Nick Couchman <vn...@apache.org>]

On Sun, Feb 24, 2019 at 12:01 AM drhy <dy...@huntergroup.co.nz> wrote:

> Hi Nick,
>
> A further clarification from PlayerOne and myself.
>
> We have been testing Radius with MySQL and have been able to successfully
> configure a Guacamole Group with Connections attached to it. When we then
> make Guacamole Users members of that Group, only the Users who are
> Guacamole
> Administrators see the Group's Connections. So in practice ordinary
> (non-Admin) Users don't see any Connections. (The Users and the Group match
> the User, Group and Group membership in Active Directory.)
>

It's probably related to one of two currently opened issues:

https://issues.apache.org/jira/browse/GUACAMOLE-696
https://issues.apache.org/jira/browse/GUACAMOLE-715

The first issue deals with the fact that group permissions within the
database are not applied to users authenticated under a different
extensions.  So, for example if you have "Group 1" in JDBC, with "User 1"
as a member of that group, you've assigned permissions to "Group 1" for a
certain connection, and "User 1" authenticates with RADIUS, the permissions
assigned to "Group 1" will *not* be applied.  This is a slight nuance in
how permissions are applied, and will likely be tweaked to function more
how people expect it to work in 1.1.0.  In 1.0.0, you'd have to have "Group
1" present in the RADIUS extension (which doesn't do groups at all, so that
would be difficult), or you'd have to assign permissions directly to "User
1" in the JDBC module.

The second issue is a bug that requires that, for groups matched between
authentication extensions (specifically between LDAP and JDBC), users are
not given permissions of their group unless they already exist in the JDBC
extension.  This is unintended behavior, and should also be corrected in
1.1.0.

I suspect the scenario you're hitting is the one documented in 696.

-Nick

Re: guacamole radius

[drhy <dy...@huntergroup.co.nz>]

Hi Nick,

A further clarification from PlayerOne and myself.

We have been testing Radius with MySQL and have been able to successfully
configure a Guacamole Group with Connections attached to it. When we then
make Guacamole Users members of that Group, only the Users who are Guacamole
Administrators see the Group's Connections. So in practice ordinary
(non-Admin) Users don't see any Connections. (The Users and the Group match
the User, Group and Group membership in Active Directory.) 

Looking forward to 1.1.0 :-)

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: guacamole radius

[Nick Couchman <vn...@apache.org>]

>
>
> Thanks.
> After a careful re-read of your postings and the JIRA I now realize that if
> both the username and MySQL Group name exist in Active Directory (which
> Radius is authenticating against) and the password is correct, then the
> user
> will be presented with the Guacamole Connections assigned to the MySQL
> Group.
>
>
Yep - hopefully we'll be able to address this, either by clarifying
documentation or modifying functionality a bit, in 1.1.0.

-Nick

Re: guacamole radius

[drhy <dy...@huntergroup.co.nz>]

Hi Nick 

Thanks.
After a careful re-read of your postings and the JIRA I now realize that if
both the username and MySQL Group name exist in Active Directory (which
Radius is authenticating against) and the password is correct, then the user
will be presented with the Guacamole Connections assigned to the MySQL
Group.

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: guacamole radius

[Nick Couchman <vn...@apache.org>]

On Sat, Feb 16, 2019 at 8:40 PM drhy <dy...@huntergroup.co.nz> wrote:

> Hi Nick,
>
> A small issue I have spotted in my testing of the Master/released version
> of
> 1.0.0 with Radius and JDBC/MySQL. The Radius to MySQL hand-off works
> perfectly as discussed in this thread, for Users who have directly linked
> Connections in MySQL, but where Users in MySQL are linked to a Group which
> in turn hold the Connections, then the User is successfully authenticated
> but then sees no connections.
>
>
This is probably related to the following issue:

https://issues.apache.org/jira/browse/GUACAMOLE-696

-Nick