guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: dynamic param values for user-mapping.xml
Date Tue, 23 Apr 2019 16:09:03 GMT
On Tue, Apr 23, 2019 at 6:03 AM Vieri <rentorbuy@yahoo.com> wrote:

> Hi,
>
> Is it possible to use the output of external scripts in order to define
> specific variables in user-mapping.xml.
>

Yes, this is possible; however, my question would be, why do this instead
of just setting up the JDBC module?  It seems like a lot of effort to go to
in order to get this working in the user-mapping.xml file, which the JDBC
module would definitely allow you to use Parameter Tokens for much of this.


> I know I could try to use the LDAP/AD authenticator extension, but:
>
> 1) AD is not officially supported, and I'd need to modify the schema with
> something like this:
> https://glyptodon.com/jira/secure/attachment/13006/Guacamole%20LDAP%20Authentication%20with%20Active%20Directory.pdf
>
> 2) I don't know yet if it is possible/easy to manage the NLA
> guacConfigParameter values for each user, ie. would I need to specify
> username, password and domain for each group when using NLA as security
> mode? That would mean I'd need to create a connection object for each AD
> user! Or does Guacamole try to use the same username and password as the
> ones used for the inital LDAP/AD bind even when using NLA?
>
>
I would suggest using LDAP/AD + JDBC for this.  That way you can have users
authenticate with LDAP/AD, but you don't have to change the Active
Directory schema.  Then you can use the Parameter tokens, as you already
mentioned, to fill in username and password for NLA.  The parameter tokens
(${GUAC_USERNAME and ${GUAC_PASSWORD}) won't work with the user-mapping.xml
file - you cannot use these values in that file.


> Also note that I'd like the hostname to be dynamic too as I have a script
> that checks several things in order to determine which RDP server a user
> should connect to (eg. checks ressource usage on every server, checks
> whether a previously connected user session was inadvertantly cut off,
> etc., and finally outputs the name or IP address of the RDP server).
>

This would more difficult to do, and would probably be the right place for
a custom authentication extension that does these checks and keeps track of
things for you.  A script would work with the user-mapping.xml file, but,
again, that would lack authentication integration with any of the other
modules, so I think that would probably be less helpful than writing an
extension.

-Nick

Mime
View raw message