[
https://issues.apache.org/jira/browse/GUACAMOLE-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17886858#comment-17886858
]
Corentin Soriano commented on GUACAMOLE-1239:
---------------------------------------------
[~vnick] I noticed a problem with openid extension on tomcat start :
{code:java}
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.525 [main] DEBUG
o.a.g.extension.ExtensionModule - Reading extension:
"00-guacamole-auth-sso-openid.jar"
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.578 [main] DEBUG
o.a.g.extension.ExtensionClassLoader - Libraries bundled within extension
"/etc/guacamole/extensions/00-guacamole-auth-sso-openid.jar" have been copied
to te
mporary directory
"/var/cache/tomcat/temp/guac-extension-lib-3055119022005830145".
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.583 [main] DEBUG
o.a.g.extension.ExtensionModule - Reading extension:
"02-guacamole-history-recording-storage.jar"
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.585 [main] DEBUG
o.a.g.extension.ExtensionModule - Reading extension:
"01-guacamole-auth-jdbc-mysql.jar"
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.640 [main] DEBUG
o.a.g.extension.ExtensionClassLoader - Libraries bundled within extension
"/etc/guacamole/extensions/01-guacamole-auth-jdbc-mysql.jar" have been copied
to te
mporary directory
"/var/cache/tomcat/temp/guac-extension-lib-6115850144200710151".
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.645 [main] INFO
o.a.g.extension.ExtensionModule - Multiple extensions are installed and will be
loaded in order of decreasing priority:
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.645 [main] INFO
o.a.g.extension.ExtensionModule - - [openid] "OpenID Authentication Extension"
(/etc/guacamole/extensions/00-guacamole-auth-sso-openid.jar)
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.645 [main] INFO
o.a.g.extension.ExtensionModule - - [mysql] "MySQL Authentication"
(/etc/guacamole/extensions/01-guacamole-auth-jdbc-mysql.jar)
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.645 [main] INFO
o.a.g.extension.ExtensionModule - - [recording-storage] "Session Recording
Storage" (/etc/guacamole/extensions/02-guacamole-history-recording-storage.jar)
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.646 [main] INFO
o.a.g.extension.ExtensionModule - To change this order, set the
"extension-priority" property or rename the extension files. The default
priority of extensio
ns is dictated by the sort order of their filenames.
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.646 [main] DEBUG
o.a.g.extension.ExtensionModule - [0] Binding AuthenticationProvider
"org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider".
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.857 [main] ERROR
o.a.g.extension.ProviderFactory - authentication provider extension failed to
start: Unable to create injector, see the following errors:
Oct 4 09:24:16 vm03 server[21227]: 1) [Guice/BindingAlreadySet]: Environment
was bound multiple times.
Oct 4 09:24:16 vm03 server[21227]: Bound at:
Oct 4 09:24:16 vm03 server[21227]: 1 :
SSOAuthenticationProvider$1.configure(SSOAuthenticationProvider.java:115)
Oct 4 09:24:16 vm03 server[21227]: 2 :
OpenIDAuthenticationProviderModule.configure(OpenIDAuthenticationProviderModule.java:46)
Oct 4 09:24:16 vm03 server[21227]: Learn more:
Oct 4 09:24:16 vm03 server[21227]:
https://github.com/google/guice/wiki/BINDING_ALREADY_SET
Oct 4 09:24:16 vm03 server[21227]: 1 error
Oct 4 09:24:16 vm03 server[21227]: ======================
Oct 4 09:24:16 vm03 server[21227]: Full classname legend:
Oct 4 09:24:16 vm03 server[21227]: ======================
Oct 4 09:24:16 vm03 server[21227]: Environment:
"org.apache.guacamole.environment.Environment"
Oct 4 09:24:16 vm03 server[21227]: OpenIDAuthenticationProviderModule:
"org.apache.guacamole.auth.openid.OpenIDAuthenticationProviderModule"
Oct 4 09:24:16 vm03 server[21227]: SSOAuthenticationProvider$1:
"org.apache.guacamole.auth.sso.SSOAuthenticationProvider$1"
Oct 4 09:24:16 vm03 server[21227]: ========================
Oct 4 09:24:16 vm03 server[21227]: End of classname legend:
Oct 4 09:24:16 vm03 server[21227]: ========================
Oct 4 09:24:16 vm03 server[21227]: 09:24:16.858 [main] DEBUG
o.a.g.extension.ProviderFactory -
org.apache.guacamole.auth.openid.OpenIDAuthenticationProvider instantiation
failed.
Oct 4 09:24:16 vm03 server[21227]:
java.lang.reflect.InvocationTargetException: null
Oct 4 09:24:16 vm03 server[21227]: #011at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
Oct 4 09:24:16 vm03 server[21227]: #011at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
Oct 4 09:24:16 vm03 server[21227]: #011at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
Oct 4 09:24:16 vm03 server[21227]: #011at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
Oct 4 09:24:16 vm03 server[21227]: #011at
org.apache.guacamole.extension.ProviderFactory.newInstance(ProviderFactory.java:59)
Oct 4 09:24:16 vm03 server[21227]: #011at
org.apache.guacamole.extension.AuthenticationProviderFacade.<init>(AuthenticationProviderFacade.java:90)
Oct 4 09:24:16 vm03 server[21227]: #011at
org.apache.guacamole.extension.ExtensionModule.bindAuthenticationProvider(ExtensionModule.java:234)
{code}
In OpenIDAuthenticationProviderModule.java, I removed line 46 to avoid this
issue but I don't know if this workaround is the right solution :
{code:java}
46 bind(Environment.class).toInstance(environment); {code}
Can you check that please?
> Make usernames case insensitive in DB
> --------------------------------------
>
> Key: GUACAMOLE-1239
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1239
> Project: Guacamole
> Issue Type: Improvement
> Components: Documentation, guacamole-auth-jdbc,
> guacamole-auth-jdbc-mysql, guacamole-auth-jdbc-postgresql, guacamole-auth-ldap
> Reporter: Magnus Lübeck
> Assignee: Nick Couchman
> Priority: Minor
> Fix For: 1.6.0
>
>
> [~cameronp] already summarized this well in GUACAMOLE-404:
>
> Quote:
> "We have ldap auth working for us via active directory. We have issues with
> case senstivity around logins. For example most users have no idea if their
> username is
> User.Name
> or USER.NAME or whatever. - active directory doesnt care about case, and
> neither does ldap authentication.
> But when they log in to guac and do not match the case of their login
> exactly, guac allows them to log in, but they just don't have any machines to
> connect to.
> Wondering if it could be made to either fail the logins if it doesn't match
> correct case, or ignore case when matching the username in the local guac db."
>
> So, when I ran across GUACAMOLE-404, and this email
> [https://www.mail-archive.com/[email protected]/msg03715.html] where
> [~vnick] discuss this topic in depth, I realized that I need to chip in my
> point of view. In the documentation it is mentioned that one can restrict
> user login, to avoid confusion that a user can log in per LDAP but not have
> any connections,
> http://guacamole.incubator.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-restrict.
> I am not sure where I would start lobbying for either asking for a default
> case insensitive username management, or the option to make the
> Postgresql/Mysql/etc usernames case insensitive. I would happily chip in
> time, money, or other stimulus to bring this discussion further.
>
> This writeup from google is a text I have visited from time to time, as I
> think it is well written and makes many points in a clear manner.
> [https://cloud.google.com/blog/products/gcp/12-best-practices-for-user-account]
>
> Point 11: Make user IDs case insensitive
> Quote:
> "Your users don't care and may not even remember the exact case of their
> username. Usernames should be fully case-insensitive. It's trivial to store
> usernames and email addresses in all lowercase and transform any input to
> lowercase before comparing.
> Smartphones represent an ever-increasing percentage of user devices. Most of
> them offer autocorrect and automatic capitalization of plain-text fields.
> Preventing this behavior at the UI level might not be desirable or completely
> effective, and your service should be robust enough to handle an email
> address or username that was unintentionally auto-capitalized."
>
> I had a very long discussion about this with a work colleague today. He has
> to support a group of customers, of which we get a list of CAPITALIZED
> usernames to import into our Active Directory domain controller. These users
> are quite used to work in an environment where they don't have to care. I
> have observed our customers log in and many users either log in with their
> username in lowercase, some log in with their username's first letter
> CAPITALIZED. Very rarely do they log in with all caps.
>
> To make matters a bit worse, is that we integrate Guacamole with oauth2_proxy
> in front of it. Oauth2_proxy sends the users first to our KeyCloak
> installation, which happily authenticates the user with any permutation they
> choose to enter. Since we do want to have the users log into the RDP servers
> with their own credentials they are asked to log in again (a 2nd time, since
> we don't get the password through otherwise). It is very confusing for our
> users that they can log into KeyCloak but not into Guacamole.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
