guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick L Archibald (PLA) ☮ <patrick.archib...@gmail.com>
Subject Re: Apache front end with HTTP Basic authentication Windows AD LDAP - username and password tokens
Date Sat, 05 Nov 2016 22:20:42 GMT
Thanks Mike. I ended up writing an authentication extension for
Guacamole as described in Chapter 18. It sets the username and
password in the GaucamoleConfiguration from the Authentication header
in the servlet request. I see from your explanation I could have just
configured LDAP in Guac and it would have handled that.  My
authentication extension does a lookup for the user's RDP server that
already existed in a database table so at least I didn't have to
modify the LDAP schema. Thanks again. Guac rocks!
R☮ck on, PLA

Patrick L Archibald
http://PatrickArchibald.com


On Sat, Nov 5, 2016 at 2:34 AM, Mike Jumper <mike.jumper@guac-dev.org> wrote:
> On Mon, Oct 31, 2016 at 6:51 AM, Patrick L Archibald (PLA) ☮
> <patrick.archibald@gmail.com> wrote:
>>
>> Hi,
>>
>> Our Intranet is an Apache front end configured with HTTP Basic
>> authentication via LDAP to a Windows AD. Apache uses ProxyPass
>> websocket-tunnel to the Guac Tomcat application server.
>>
>> I would like to pass the HTTP Basic authentication user name and
>> password to Windows 2008 R2 RDS VMs and Windows 7 VMs.
>
>
> Guacamole will do this automatically, at least in part. If the
> "Authorization" header is present from HTTP Basic authentication,
> Guacamole's authentication system will automatically pull the username and
> password and pass them to installed authentication extensions.
>
>>
>> I had noauth-config.xml configured like so:
>
>
> If you want usernames or passwords to have any meaning, using NoAuth (the
> extension which effectively neuters the authentication system) is definitely
> not the way to go. More on this below.
>
>>
>> Before I roll my own authentication, is there a BASIC_USERNAME and
>> BASIC_PASSWORD token?
>>
>
> There are no such tokens, but if there is no true separation of identity
> between the user authenticating via HTTP Basic and the user authenticating
> with the RDP server, I think it would be a mistake to try to force such a
> separation within Guacamole. It would be better to embrace Guacamole's
> concept of a user and credentials, and allow the layers to communicate
> properly.
>
> For an arbitrary user X, you currently have the following layers, connected
> in order:
>
> 1) Proxy (configured to verify and recognize user X)
> 2) Guacamole (configured to not recognize anyone thanks to NoAuth)
> 3) RDP (configured to verify and recognize user X)
>
> The system here breaks down because the middle layer (Guacamole) has been
> explicitly configured to not care about identity. What you should be doing
> instead is:
>
> 1) Proxy (configured to verify and recognize user X)
> 2) Guacamole (configured to verify and recognize user X)
> 3) RDP (configured to verify and recognize user X)
>
> If each layer is configured to verify and recognize the user in the same
> way, then each layer will function as expected, including the behavior of
> things like the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens.
>
>> Any other suggestions?
>>
>
> I'd recommend using the LDAP authentication included with Guacamole, either
> on its own or together with a database. As long as you configure the LDAP
> authentication to use the same Windows AD server as your proxy, the
> username/password within the HTTP Basic authentication will just magically
> work, and users will not need to manually log in.
>
> You would end up with a system which re-verifies the credentials provided,
> and then pulls connection data from elsewhere. If eventually someone manages
> to access your Guacamole server without going through your authenticating
> proxy, Guacamole would itself enforce authentication, and things remain
> secure.
>
> Thanks,
>
> - Mike
>

Mime
View raw message