On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT TECHNOLOGY PARTNERS] <john.h.thompson@nasa.gov> wrote:

Will storing the allowed connections in LDAP work with HTTP

header authentication"?


From reading about LDAP, it seems the answer is “no”

"if the bind attempt is successful, the set of available Guacamole

connections is queried from the LDAP directory by executing an LDAP

query as the bound user. Each Guacamole connection is represented within

the directory as a special type of group: guacConfigGroup. Attributes

associated with the group define the protocol and parameters of the

connection, and users are allowed access to the connection only if they

are associated with that group."


From reading http header, it seems the answer is "maybe .... ?"

"This authentication method must be layered on top of some other

authentication extension, such as those available from the main project

website, in order to provide access to actual connections."


The Guacamole documentation is somewhat unclear as to authentication versus authorization.


Thanks in advance for any insight you can share!


I believe the answer is no.  Mike can correct this if I'm wrong, but my understanding is that one of the security mechanisms in the LDAP module is that the bind to look for connections is done with the user who logged in.  So, if the user is logged in through another mechanism (header authentication), and particularly one that doesn't provide the password to Guacamole (header will not), then there's not going to be any way for the user who logged in to bind to the LDAP directory.

Header authentication does layer nicely, though, with the JDBC module, so the best bet is to use JDBC to store the connections.  I realize that you may be trying to use LDAP's built-in membership mechanism to assign users/groups to connections, so that doesn't help you there, but header + JDBC does work.