guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Authentication using http
Date Fri, 03 Nov 2017 13:01:04 GMT
On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT
TECHNOLOGY PARTNERS] <john.h.thompson@nasa.gov> wrote:

> Will storing the allowed connections in LDAP work with HTTP
>
> header authentication"?
>
>
>
> From reading about LDAP, it seems the answer is “no”
>
> "if the bind attempt is successful, the set of available Guacamole
>
> connections is queried from the LDAP directory by executing an LDAP
>
> query as the bound user. Each Guacamole connection is represented within
>
> the directory as a special type of group: guacConfigGroup. Attributes
>
> associated with the group define the protocol and parameters of the
>
> connection, and users are allowed access to the connection only if they
>
> are associated with that group."
>
>
>
> From reading http header, it seems the answer is "maybe .... ?"
>
> "This authentication method must be layered on top of some other
>
> authentication extension, such as those available from the main project
>
> website, in order to provide access to actual connections."
>
>
>
> The Guacamole documentation is somewhat unclear as to authentication
> versus authorization.
>
>
>
> Thanks in advance for any insight you can share!
>
>
>

I believe the answer is no.  Mike can correct this if I'm wrong, but my
understanding is that one of the security mechanisms in the LDAP module is
that the bind to look for connections is done with the user who logged in.
So, if the user is logged in through another mechanism (header
authentication), and particularly one that doesn't provide the password to
Guacamole (header will not), then there's not going to be any way for the
user who logged in to bind to the LDAP directory.

Header authentication does layer nicely, though, with the JDBC module, so
the best bet is to use JDBC to store the connections.  I realize that you
may be trying to use LDAP's built-in membership mechanism to assign
users/groups to connections, so that doesn't help you there, but header +
JDBC does work.

Regards,
Nick

Mime
View raw message