have got auth-header working - but can't see any "<connection>" options

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

have got auth-header working - but can't see any "<connection>" options

Jason Haar
Hi there

I've just started playing with guacamole and have successfully got as far as creating a standalone user-profile (ie username/password) in user-mapping.xml - some RDP and SSH sessions - all working fine.

So then I got more adventurous and decided on testing auth-header - as we would run such a beast behind an Apache reverse-proxy - so time to test. Well I've got the Apache server sending "X-User: email@address", and now when I connect I see I am automagically logged in as "email@address" - great! But there's no "profile" (for want of a better term).

So then I edited user-mapping.xml and created a fake account for "email@address" , and cut-n-pasted my working standalone user profile into it (ie the same RDP and SSH "<connection>"'s). Restarted tomcat and - nothing. 

Whatever I try, all I get is an empty profile - no actual terminal services. Also, if I access the account's "Settings", all I get is the turning "cog wheel" - but nothing actually comes up. If I did that on my standalone account, I get to change my default language/etc.

Any ideas what I missed?

Thanks

This is guacamole under CentOS-7, with guacamole-auth-header-0.9.13-incubating.tar.gz

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Reply | Threaded
Open this post in threaded view
|

Re: have got auth-header working - but can't see any "<connection>" options

vnick
Jason,

On Mon, Oct 9, 2017 at 10:06 PM, Jason Haar <[hidden email]> wrote:
Hi there

I've just started playing with guacamole and have successfully got as far as creating a standalone user-profile (ie username/password) in user-mapping.xml - some RDP and SSH sessions - all working fine.

So then I got more adventurous and decided on testing auth-header - as we would run such a beast behind an Apache reverse-proxy - so time to test. Well I've got the Apache server sending "X-User: email@address", and now when I connect I see I am automagically logged in as "email@address" - great! But there's no "profile" (for want of a better term).

So then I edited user-mapping.xml and created a fake account for "email@address" , and cut-n-pasted my working standalone user profile into it (ie the same RDP and SSH "<connection>"'s). Restarted tomcat and - nothing. 

Whatever I try, all I get is an empty profile - no actual terminal services. Also, if I access the account's "Settings", all I get is the turning "cog wheel" - but nothing actually comes up. If I did that on my standalone account, I get to change my default language/etc.

For the spinning cog wheel of infinity, there's a commit in the git master repo that I believe will fix this issue.  I doubt it's related to the other trouble you're having - the lack of connection mapping.  From what I can tell you're doing things right, so not sure why that isn't working.

I would suggest setting up the JDBC authentication module with a MySQL or PostgreSQL database.  It takes a few minutes longer, and definitely works to layer the JDBC module with the auth-header module (or CAS, LDAP, etc.).  I can't remember if Mike mentioned something recently about the basic user mapping module not working as a layered module or not - I haven't tried it.  Either way, I highly recommend using the JDBC module - particularly if you plan to scale your deployment at all, it'll be much easier to do that with JDBC.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: have got auth-header working - but can't see any "<connection>" options

Jason Haar
Hi Nick

You hit it on the head - it needs JDBC to work. I figured that out between sending my email and your reply :-/

With the JDBC module in place, I can create an empty user profile, then connect via auth-header and get the mapping. And there is a full-blown connector editor in there too! That needs to be advertised more - that alone is reason enough to use JDBC :-)

Thanks


On Tue, Oct 10, 2017 at 4:03 PM, Nick Couchman <[hidden email]> wrote:
Jason,

On Mon, Oct 9, 2017 at 10:06 PM, Jason Haar <[hidden email]> wrote:
Hi there

I've just started playing with guacamole and have successfully got as far as creating a standalone user-profile (ie username/password) in user-mapping.xml - some RDP and SSH sessions - all working fine.

So then I got more adventurous and decided on testing auth-header - as we would run such a beast behind an Apache reverse-proxy - so time to test. Well I've got the Apache server sending "X-User: email@address", and now when I connect I see I am automagically logged in as "email@address" - great! But there's no "profile" (for want of a better term).

So then I edited user-mapping.xml and created a fake account for "email@address" , and cut-n-pasted my working standalone user profile into it (ie the same RDP and SSH "<connection>"'s). Restarted tomcat and - nothing. 

Whatever I try, all I get is an empty profile - no actual terminal services. Also, if I access the account's "Settings", all I get is the turning "cog wheel" - but nothing actually comes up. If I did that on my standalone account, I get to change my default language/etc.

For the spinning cog wheel of infinity, there's a commit in the git master repo that I believe will fix this issue.  I doubt it's related to the other trouble you're having - the lack of connection mapping.  From what I can tell you're doing things right, so not sure why that isn't working.

I would suggest setting up the JDBC authentication module with a MySQL or PostgreSQL database.  It takes a few minutes longer, and definitely works to layer the JDBC module with the auth-header module (or CAS, LDAP, etc.).  I can't remember if Mike mentioned something recently about the basic user mapping module not working as a layered module or not - I haven't tried it.  Either way, I highly recommend using the JDBC module - particularly if you plan to scale your deployment at all, it'll be much easier to do that with JDBC.

-Nick



--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1