guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Jumper (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GUACAMOLE-70) Add option to restrict access to users within database
Date Wed, 03 Aug 2016 22:50:21 GMT

    [ https://issues.apache.org/jira/browse/GUACAMOLE-70?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15406761#comment-15406761
] 

Michael Jumper commented on GUACAMOLE-70:
-----------------------------------------

I've implemented new "postgresql-user-required" and "mysql-user-required" properties which
enable this functionality via commit [d8d7b2c|https://github.com/mike-jumper/incubator-guacamole-client/commit/d8d7b2c458875a7ba0f25f45a5a190e2eb91a0ac]
on incubator-guacamole-client. When set to "true", authentication is canceled for users which
do not have corresponding entries in the database.

Should probably hold off on the pull request, however, to ensure we don't just keep increasing
the testing surface of 0.9.10-incubating... That release is going to be enormous enough already.

> Add option to restrict access to users within database
> ------------------------------------------------------
>
>                 Key: GUACAMOLE-70
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-70
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-jdbc
>            Reporter: Michael Jumper
>            Assignee: Michael Jumper
>
> The LDAP and database authentication backends have been usable together since [GUAC-586|https://glyptodon.org/jira/browse/GUAC-586],
but this still causes trouble in the case that only LDAP users that *also* exist within the
database should have access.
> There are cases where large deployments of Guacamole involve a large LDAP tree that contains
many users, only a subset of which should be granted access to Guacamole. Restructuring the
LDAP tree to ensure that only certain users can log in to Guacamole is not always feasible.
Rather than universally granting access so long as LDAP accepts the credentials, the database
authentication should provide an option to deny access to authenticated users if they do not
also have associated data in the database.
> It has been verified that extensions can indeed reject an otherwise positive authentication
result from a different extension.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message