Radius + LDAP authentication, then database Groups

[drhy <da...@outlook.com>]

Hi,

LDAP with Active Directory and a Guacamole database (eg MySQL) can be
configured so that no users need to be added to the database. When LDAP
successfully authenticates a user, it returns the user's Active Directory
Group names and where any match names for groups of Connections in the
database then those Connections are available to the user. Almost zero user
administration !

Is there any way to add Radius authentication into this?
My reason for asking is that we use Azure MFA triggered by Radius
Authentication, but would really like the low admin overhead that the LDAP
module allows for.

As I understand it at the moment any module that successfully authenticates
a user is allowing them into guacamole, even if they would fail at another
module. And the database then supplements the successful authentication by
supplying connection options and parameters.

It would be great if there was something like an entry in
guacamole.properties "alternative-auth: radius  and ldap OR sql".

Is there any magic that could be used to achieve this ?

Thanks.

-David





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Radius + LDAP authentication, then database Groups

[Nick Couchman <vn...@apache.org>]

On Sun, Jan 26, 2020 at 2:34 PM drhy <da...@outlook.com> wrote:

> @vnick
>
> I tested 1.1.0 yesterday, including its LDAP and jdbc/MySQL, hence my
> excitement.
>

Great!  Thanks for doing testing on the RC1 release!  Definitely let us
know if you have any issues.


> By the way, 1.1.0 will be making guacamole into a stunning product.
>
>
I certainly think this is a great step forward for the project, and I'm
also excited that we have another version close on the heels of it that I
*hope* we can release much more quickly, and start a cycle of quicker
releases for the project.  We'll see how that works out, but I'm optimistic.


> I also tested the 1.1.0 radius ('cos it triggers our Azure MFA), so it
> looks
> like I'll just have to be a bit patient :-)
>
>
:-).  Always tough, but hopefully we'll get there, soon.  My current
employer also uses Azure MFA, so configuring Guacamole with RADIUS for that
is on my list of things to do.


> You reminded me that I originally posted GUACAMOLE-792 "Radius Provider
> returns Group - like LDAP Provider", to which I've just added some more
> info.
>
>
Thanks!

-Nick

Re: Radius + LDAP authentication, then database Groups

[drhy <da...@outlook.com>]

@vnick

I tested 1.1.0 yesterday, including its LDAP and jdbc/MySQL, hence my
excitement.
By the way, 1.1.0 will be making guacamole into a stunning product.

I also tested the 1.1.0 radius ('cos it triggers our Azure MFA), so it looks
like I'll just have to be a bit patient :-)

You reminded me that I originally posted GUACAMOLE-792 "Radius Provider
returns Group - like LDAP Provider", to which I've just added some more
info.

Thanks again.

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Radius + LDAP authentication, then database Groups

[Nick Couchman <vn...@apache.org>]

On Sun, Jan 26, 2020 at 5:18 AM drhy <da...@outlook.com> wrote:

> Hi,
>
> LDAP with Active Directory and a Guacamole database (eg MySQL) can be
> configured so that no users need to be added to the database. When LDAP
> successfully authenticates a user, it returns the user's Active Directory
> Group names and where any match names for groups of Connections in the
> database then those Connections are available to the user. Almost zero user
> administration !
>
> Is there any way to add Radius authentication into this?
> My reason for asking is that we use Azure MFA triggered by Radius
> Authentication, but would really like the low admin overhead that the LDAP
> module allows for.
>
>
I think there are a couple of things coming that will help you out with
this.  First, in the code for the upcoming 1.1.0 release we corrected a bug
and tweaked how user/group mapping is handled across the modules such that
it works in a way that makes a little more sense.  For reference, the
following two JIRA issues should help:

https://issues.apache.org/jira/browse/GUACAMOLE-715
https://issues.apache.org/jira/browse/GUACAMOLE-696

Beyond that, there are a couple of open JIRA issues - still be worked, and
won't be in 1.1.0 code - related to allowing other modules to pass through
group information into Guacamole.  There is a PR in progress for this for
CAS, and I think there is an open issue for at least the RADIUS module.  If
the above issues don't solve it, hopefully we'll be able to add it in the
near-future via changes to the other authentication extensions.

-Nick