guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vnick <>
Subject Re: CAS Extension
Date Mon, 18 Sep 2017 16:28:12 GMT
richk wrote
> In the docs with regards to the CAS extension it has this line: 
> "This module must be layered on top of other authentication extensions
> that
> provide connection information, as it only provides user authentication".
> So would I configure the auth-provider property with
> BasicFileAuthenticationProvider as usual, but then specify
> cas-authorization-endpoint and cas-redirect-uri to override the default
> login action to use CAS instead? If so, then can I just specify the
> connection configs in user-mapping.xml as usual too? 
> Is that how it's intended to work? It seems too easy?

Layering just means that you have/use multiple modules.  Guacamole compares
usernames between the modules to "connect" the user accounts between the
modules.  So, you can definitely use the basic file authentication provider
and put usernames and connections in that file, then install the CAS module
and point it at your CAS server, and, as long as the usernames match, it
will pull in the connections for those users from the basic file provider.

However, using the basic file provider for this layering has a couple of
catches.  In particular, when you configure users in the basic file module,
you have to specify a username and password, so you'll need to generate
complex enough passwords that no one would be able to guess them.  Also, the
basic file module requires that you specify connections under the users in
the XML layout.  Unless there's a way to do it that's not documented in the
Guacamole documentation (Mike?), that means that you cannot specify a
connection and then assign it to multiple users - you'd have to copy that
connection specification multiple times under each of the accounts you'd
want it to apply to.

So, if you're layering it's really better to do it with the JDBC module - it
will auto-generate the passwords for the users you create, and you can allow
multiple to users to access the same connection without have to create it
multiple times.  You could also do this with the LDAP module if you wanted
to layer CAS with LDAP - IMHO the JDBC module just makes the most sense.


Sent from:

View raw message