Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@guacamole.incubator.apache.org
MIME-Version: 1.0
In-Reply-To: <1505748231686-0.post@n4.nabble.com>
References: <1505748231686-0.post@n4.nabble.com>
From: Mike Jumper <mike.jumper@guac-dev.org>
Date: Mon, 18 Sep 2017 09:43:45 -0700
Message-ID: <CALKeL-MmA7PtRA+pNrauij0vbexmkuYXT_wRCVaUZpY2nmyieg@mail.gmail.com>
Subject: Re: CAS Extension
To: user@guacamole.incubator.apache.org
Content-Type: multipart/alternative; boundary="001a11425b6ede9dec0559797477"
archived-at: Mon, 18 Sep 2017 16:44:35 -0000

--001a11425b6ede9dec0559797477
Content-Type: text/plain; charset="UTF-8"

On Mon, Sep 18, 2017 at 8:23 AM, richk <rk5devmail@gmail.com> wrote:

>
> In the docs with regards to the CAS extension it has this line:
>
> "This module must be layered on top of other authentication extensions that
> provide connection information, as it only provides user authentication".
>
> So would I configure the auth-provider property with
> BasicFileAuthenticationProvider as usual, but then specify
> cas-authorization-endpoint and cas-redirect-uri to override the default
> login action to use CAS instead?


There actually is no "auth-provider" property. This property was deprecated
in 0.9.7 in favor of a new, self-contained extension format [1] and finally
removed entirely in 0.9.10-incubating [2]. Usage of this property between
0.9.7 and 0.9.10-incubating would have worked but resulted in a warning in
the logs, but the property it is now ignored. It is no longer documented in
the manual, and any third-party tutorials which refer to it are out of date.

If so, then can I just specify the
> connection configs in user-mapping.xml as usual too?
>
> Is that how it's intended to work? It seems too easy?
>
>
This is exactly how it's intended to work. Guacamole supports loading
multiple extensions simultaneously, and will automatically combine
authentication methods. I'd recommend using the MySQL or PostgreSQL
extensions instead of "user-mapping.xml", however. Besides the way that
user-mapping.xml requires the password to be manually defined for each
user, I believe there is a known issue with using user-mapping.xml
alongside other auth extensions (where the built-in auth mechanism handling
user-mapping.xml does not properly collaborate with other extensions,
unlike the database, ldap, etc. auth), but I've thus far not found a link
to where this was reported.

- Mike

[1]
http://guacamole.incubator.apache.org/releases/0.9.7/#simplified-extensions
[2]
http://guacamole.incubator.apache.org/releases/0.9.10-incubating/#removal-of-deprecated-lib-directory-and-auth-provider-properties

--001a11425b6ede9dec0559797477
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On M=
on, Sep 18, 2017 at 8:23 AM, richk <span dir=3D"ltr">&lt;<a href=3D"mailto:=
rk5devmail@gmail.com" target=3D"_blank">rk5devmail@gmail.com</a>&gt;</span>=
 wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
In the docs with regards to the CAS extension it has this line:<br>
<br>
&quot;This module must be layered on top of other authentication extensions=
 that<br>
provide connection information, as it only provides user authentication&quo=
t;.<br>
<br>
So would I configure the auth-provider property with<br>
BasicFileAuthenticationProvide<wbr>r as usual, but then specify<br>
cas-authorization-endpoint and cas-redirect-uri to override the default<br>
login action to use CAS instead?</blockquote><div><br></div><div>There actu=
ally is no &quot;auth-provider&quot; property. This property was deprecated=
 in 0.9.7 in favor of a new, self-contained extension format [1] and finall=
y removed entirely in 0.9.10-incubating [2]. Usage of this property between=
 0.9.7 and 0.9.10-incubating would have worked but resulted in a warning in=
 the logs, but the property it is now ignored. It is no longer documented i=
n the manual, and any third-party tutorials which refer to it are out of da=
te.</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I=
f so, then can I just specify the<br>
connection configs in user-mapping.xml as usual too?<br>
<br>
Is that how it&#39;s intended to work? It seems too easy?<br>
<br></blockquote><div><br></div><div>This is exactly how it&#39;s intended =
to work. Guacamole supports loading multiple extensions simultaneously, and=
 will automatically combine authentication methods. I&#39;d recommend using=
 the MySQL or PostgreSQL extensions instead of &quot;user-mapping.xml&quot;=
, however. Besides the way that user-mapping.xml requires the password to b=
e manually defined for each user, I believe there is a known issue with usi=
ng user-mapping.xml alongside other auth extensions (where the built-in aut=
h mechanism handling user-mapping.xml does not properly collaborate with ot=
her extensions, unlike the database, ldap, etc. auth), but I&#39;ve thus fa=
r not found a link to where this was reported.</div><div><br></div><div>- M=
ike</div><div><br></div><div><div>[1] <a href=3D"http://guacamole.incubator=
.apache.org/releases/0.9.7/#simplified-extensions">http://guacamole.incubat=
or.apache.org/releases/0.9.7/#simplified-extensions</a></div><div>[2] <a hr=
ef=3D"http://guacamole.incubator.apache.org/releases/0.9.10-incubating/#rem=
oval-of-deprecated-lib-directory-and-auth-provider-properties">http://guaca=
mole.incubator.apache.org/releases/0.9.10-incubating/#removal-of-deprecated=
-lib-directory-and-auth-provider-properties</a></div></div><div><br></div><=
/div></div></div>

--001a11425b6ede9dec0559797477--