guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joachim Lindenberg" <joac...@lindenberg.one>
Subject AW: Authentication mechanism.. Was: New user questions...
Date Sat, 03 Mar 2018 21:51:27 GMT
Hi all,                                                                 

I made a proof of concept and implemented my own authentication extension. I am however struggling
with 

(1)    Changes of guacamole.properties (where I put some settings using a prefix hyperv.*)
are not picked up until I restart tomcat. I´d appreciate if changes would be monitored or
picked up at login like is for user-mapping.xml. Or am I mislead?

(2)    I need a json parser. Looks like there is none exposed by tomcat8 or guacamole. I had
to copy a json implemention into my jar, which does not look like a good solution to me. Is
there a way to refer to a standard json implementation?

(3)    It is still unclear to me what configuration changes I can/should support, and how
to best trigger restore of VMs. One approach I am experimenting with is to subclass GuacamoleConfiguration
and “monitor” whether parameters are accessed and then as a side effect trigger restore.
However the unpleasant aspect is that I´d also have to cache credentials of the user then.
Any better approach?

Thanks,

Joachim

 

Von: Joachim Lindenberg [mailto:joachim@lindenberg.one] 
Gesendet: Mittwoch, 28. Februar 2018 15:34
An: user@guacamole.apache.org
Betreff: Authentication mechanism.. Was: New user questions...

 

Hi Mike, all,

let me first understand exactly what you wrote, in particular as I did not install the LDAP
and database part so far. You write “It is the only authentication extension which implements
both reading and writing,..”

what exactly is it writing? Configuration data – then I´d prefer to generate it. Personalization?
Then that sounds more interesting. What types of personalization? Maybe including settings
like enable-font-smoothing Christian mentioned, which might really be users preference or
depend on bandwidth.

Then second I´d like to understand my options. I think I have a pretty standard Hyper-V setup
except for two things: some of the VMs are created by an application of mine which also assigns
VMConnectAccess authorizations to specific user/VM combinations (which also prevents access
using VMconnect unless the users are also Hyper-V-Administrators, haven´t tested exactly
what guacamole requires, but I verified I can actually connect using a different user). And
then I have a mechanism in place that saves/suspends VMs aggressively in order to conserve
memory on the host.

What I´d do in an authentication mechanism is to call a service on the hyper-V server doing
two things: first check user&password against the local authentication systems (which
includes support for local, domain, and microsoft users). If that succeeds, enumerate the
VMs the user is authorized to and generate the relevant configuration connection.

Does that make sense? 

Obviously the server running on hyper-V is Hyper-V specific, whereas the client part could
be very generic and don´t really care about whether it is Hyper-V or some other backend.

Now an interesting question is how to deal with the aggressive save: ideally one would include
suspended VMs in the connections and then trigger the resume operation when a user picks that.
Is that possible? How?

Thanks & Best Regards,

Joachim

 

 

Von: Mike Jumper [mailto:mike.jumper@guac-d <mailto:mike.jumper@guac-dev.org> ev.org]

Gesendet: Dienstag, 27. Februar 2018 08:04
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org> 
Betreff: Re: New user questions...

 

On Mon, Feb 26, 2018 at 10:45 PM, Joachim Lindenberg <joachim@lindenberg.one <mailto:joachim@lindenberg.one>
> wrote:

...

*       w.r.t. ldap & database – my installation is very small w.r.t. the number of
users (2-3) and virtual systems (5-10).  A database sounds overengineered to me especially
considering operations (backup).

 

Small or large, the database authentication backend is really the best way to go. It is the
only authentication extension which implements both reading and writing, thus providing a
web-based management interface for connections and users, and the only extension which implements
full screen sharing, logging of connection access, etc.

 

Generating user-mapping.xml on the Hyper-V host sounds like one approach I might try

 

I strongly recommend against auto-generating XML as a means of throwing together integration
quickly:

 

http://guacamole.apache.org/faq/#integrate-auth

 

(but I dislike the passwords in that and would prefer to get them from LDAP), or I am considering
to plug in my own authentication – but that will take some programming time.

 

Nevertheless, if you wish to tightly integrate Guacamole with your own authentication, this
is exactly the way it should be done.

 

Actually I think Guacamole could standardize a rest based client

 

Guacamole's interface is already driven by a REST sevice.

 

using basic authentication (forwarding the credentials received)

 

Guacamole also already pulls credentials from HTTP basic auth if they are not otherwise provided.
If you implement your own authentication extension, you can also explicitly do this, but the
username/password from HTTP basic auth will be automatically pulled into the Credentials object
already.

 

- Mike

 


Mime
View raw message