We have users being externally authenticated via LDAP, and the LDAP response returns a group name to guacamole, which in turn is associated with a connection group of type 'balancing'. The idea is that we have a pool of machines available, and guacamole will assign an available one to the incoming user. We'd like to use guacamole-trigger (using 1.4.0) to do some setting up on the machine that's been assigned.
The connection group is set so the maximum number of connections is equal to the number of available machines, and maximum connections per user is 1.
A basic test with a START_COMMAND
defined in our docker config of "ls -al"
, just to prove the setup is working, results in users being unable to log in. They are successfully authenticated and are then immediately greeted with this:
I can see in the admin pages that Guac believes there is an active connection from that user to a target machine, but for some reason it looks like a second connection is attempted from the user side. This doesn't happen with the trigger extension disabled.
In the docker logs, I see this for a successful login with the extension disabled:
guacd_compose | guacd[1]: INFO: Creating new client for protocol "rdp"
guacd_compose | guacd[1]: INFO: Connection ID is "$4967804c-837e-45be-887f-9928618e3282"
guacd_compose | guacd[8]: INFO: Security mode: NLA
guacd_compose | guacd[8]: INFO: Resize method: none
guacd_compose | guacd[8]: INFO: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
guacd_compose | guacd[8]: INFO: User "@2a679446-bbbf-4c44-ad1a-620492fe0634" joined connection "$4967804c-837e-45be-887f-9928618e3282" (1 users now present)
guacd_compose | guacd[8]: INFO: Loading keymap "base"
guacd_compose | guacd[8]: INFO: Loading keymap "en-gb-qwerty"
guacd_compose | guacd[8]: INFO: Connected to RDPDR 1.13 as client 0x0003
guacamole_compose | 08:28:06.550 [http-nio-8080-exec-10] INFO o.a.g.tunnel.TunnelRequestService - User "test1" connected to connection group "1".
guacd_compose | guacd[8]: INFO: Connected to RDPDR 1.13 as client 0x0002
guacd_compose | guacd[8]: INFO: RDPDR user logged on
and with the extension active:
guacd_compose | guacd[1]: INFO: Creating new client for protocol "rdp"
guacd_compose | guacd[1]: INFO: Connection ID is "$05e63756-9aa7-49b4-a604-e8512fc7f1f4"
guacd_compose | guacd[8]: INFO: Security mode: NLA
guacd_compose | guacd[8]: INFO: Resize method: none
guacd_compose | guacd[8]: INFO: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
guacd_compose | guacd[8]: INFO: User "@720f0588-19c3-4908-830f-233e5a449c15" joined connection "$05e63756-9aa7-49b4-a604-e8512fc7f1f4" (1 users now present)
guacd_compose | guacd[8]: INFO: Loading keymap "base"
guacd_compose | guacd[8]: INFO: Loading keymap "en-gb-qwerty"
guacd_compose | guacd[8]: INFO: Connected to RDPDR 1.13 as client 0x0003
guacamole_compose | 08:29:26.932 [http-nio-8080-exec-4] INFO o.a.g.tunnel.TunnelRequestService - User "test1" connected to connection group "1".
guacamole_compose | 08:29:26.941 [NioProcessor-2] WARN o.a.d.a.l.c.a.l.StoreMatchedDN - MSG_05107_NO_SUCH_OBJECT_MATCHED_DN_NOT_SET ()
guacamole_compose | 08:29:26.944 [NioProcessor-2] WARN o.a.d.a.l.c.a.l.StoreMatchedDN - MSG_05107_NO_SUCH_OBJECT_MATCHED_DN_NOT_SET ()
guacamole_compose | 08:29:26.948 [NioProcessor-2] WARN o.a.d.a.l.c.a.l.StoreMatchedDN - MSG_05107_NO_SUCH_OBJECT_MATCHED_DN_NOT_SET ()
guacamole_compose | 08:29:26.950 [NioProcessor-2] WARN o.a.d.a.l.c.a.l.StoreMatchedDN - MSG_05107_NO_SUCH_OBJECT_MATCHED_DN_NOT_SET ()
guacamole_compose | 08:29:26.953 [http-nio-8080-exec-4] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: can't handle unconfigerd sockets
guacamole_compose | 08:29:27.045 [http-nio-8080-exec-3] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: Cannot connect. Connection group already in use by this user.
guacd_compose | guacd[8]: INFO: Connected to RDPDR 1.13 as client 0x0002
guacd_compose | guacd[8]: INFO: RDPDR user logged on
guacd_compose | guacd[8]: ERROR: User is not responding.
guacd_compose | guacd[8]: INFO: User "@720f0588-19c3-4908-830f-233e5a449c15" disconnected (0 users remain)
guacd_compose | guacd[8]: INFO: Last user of connection "$05e63756-9aa7-49b4-a604-e8512fc7f1f4" disconnected
guacd_compose | guacd[8]: INFO: Internal RDP client disconnected
guacd_compose | guacd[1]: INFO: Connection "$05e63756-9aa7-49b4-a604-e8512fc7f1f4" removed.
Is there anything about our setup which might cause this? Does the extension rely on users being defined within Guac itself, as opposed to authenticated externally?