guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joachim Lindenberg" <>
Subject Authentication mechanism.. Was: New user questions...
Date Wed, 28 Feb 2018 14:33:59 GMT
Hi Mike, all,

let me first understand exactly what you wrote, in particular as I did not install the LDAP
and database part so far. You write “It is the only authentication extension which implements
both reading and writing,..”

what exactly is it writing? Configuration data – then I´d prefer to generate it. Personalization?
Then that sounds more interesting. What types of personalization? Maybe including settings
like enable-font-smoothing Christian mentioned, which might really be users preference or
depend on bandwidth.

Then second I´d like to understand my options. I think I have a pretty standard Hyper-V setup
except for two things: some of the VMs are created by an application of mine which also assigns
VMConnectAccess authorizations to specific user/VM combinations (which also prevents access
using VMconnect unless the users are also Hyper-V-Administrators, haven´t tested exactly
what guacamole requires, but I verified I can actually connect using a different user). And
then I have a mechanism in place that saves/suspends VMs aggressively in order to conserve
memory on the host.

What I´d do in an authentication mechanism is to call a service on the hyper-V server doing
two things: first check user&password against the local authentication systems (which
includes support for local, domain, and microsoft users). If that succeeds, enumerate the
VMs the user is authorized to and generate the relevant configuration connection.

Does that make sense? 

Obviously the server running on hyper-V is Hyper-V specific, whereas the client part could
be very generic and don´t really care about whether it is Hyper-V or some other backend.

Now an interesting question is how to deal with the aggressive save: ideally one would include
suspended VMs in the connections and then trigger the resume operation when a user picks that.
Is that possible? How?

Thanks & Best Regards,




Von: Mike Jumper [] 
Gesendet: Dienstag, 27. Februar 2018 08:04
Betreff: Re: New user questions...


On Mon, Feb 26, 2018 at 10:45 PM, Joachim Lindenberg < <>
> wrote:


*       w.r.t. ldap & database – my installation is very small w.r.t. the number of
users (2-3) and virtual systems (5-10).  A database sounds overengineered to me especially
considering operations (backup).


Small or large, the database authentication backend is really the best way to go. It is the
only authentication extension which implements both reading and writing, thus providing a
web-based management interface for connections and users, and the only extension which implements
full screen sharing, logging of connection access, etc.


Generating user-mapping.xml on the Hyper-V host sounds like one approach I might try


I strongly recommend against auto-generating XML as a means of throwing together integration


(but I dislike the passwords in that and would prefer to get them from LDAP), or I am considering
to plug in my own authentication – but that will take some programming time.


Nevertheless, if you wish to tightly integrate Guacamole with your own authentication, this
is exactly the way it should be done.


Actually I think Guacamole could standardize a rest based client


Guacamole's interface is already driven by a REST sevice.


using basic authentication (forwarding the credentials received)


Guacamole also already pulls credentials from HTTP basic auth if they are not otherwise provided.
If you implement your own authentication extension, you can also explicitly do this, but the
username/password from HTTP basic auth will be automatically pulled into the Credentials object


- Mike


View raw message