Concurrency limit for LDAP auth?

[JoelB <na...@joelbest.ca>]

Is there any way to implement concurrency limits for connections/users
defined in LDAP? I've been unable to get LDAP and MySQL to co-operate so
I've switched to an LDAP-only configuration. However, I need to be able to
restrict users to logging in to only one machine at a time and clients to
only allow one connection at a time.

Thanks for any advice,
-Joel



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Concurrency limit for LDAP auth?

[JoelB <na...@joelbest.ca>]

Thanks Nick, that was my suspicion. I spent a lot of time debugging the
problem using LDAP auth/groups with MySQL backend on 1.0.0 but could not get
it working after many days of troubleshooting. Hence why I switched to
LDAP-only. My original problems were posted to this list here in case you're
interested:

http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/LDAP-problems-with-1-0-0-but-working-with-0-9-14-td4214.html

I will work on that problem again but I might just have to wait for the
concurrency attributes to be available through LDAP.

Thanks again,
-Joel



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Concurrency limit for LDAP auth?

[Nick Couchman <vn...@apache.org>]

On Mon, Jan 7, 2019 at 7:06 PM Mike Jumper <mj...@apache.org> wrote:

> On Fri, Jan 4, 2019 at 12:59 PM Nick Couchman <vn...@apache.org> wrote:
>
>> On Fri, Jan 4, 2019 at 10:34 AM JoelB <na...@joelbest.ca> wrote:
>>
>>> Is there any way to implement concurrency limits for connections/users
>>> defined in LDAP? I've been unable to get LDAP and MySQL to co-operate so
>>> I've switched to an LDAP-only configuration. However, I need to be able
>>> to
>>> restrict users to logging in to only one machine at a time and clients to
>>> only allow one connection at a time.
>>>
>>>
>> I do not believe the connection attributes (which includes concurrency)
>> work from connections defined within the LDAP authentication module.
>>
>>
> It's not so much that they don't work as they aren't implemented. Only the
> database auth implements the type of tracking necessary for these limits.
>
>
Yes, quite right.


> While it is true that the database auth allows these limits to be
> maintained/overridden with connection attributes, leveraging connection
> attributes is only necessary if these limits are to be exposed within the
> user interface. If concurrency limits were implemented within LDAP, which
> will presumably remain read-only, the limits could be read internally from
> LDAP attributes, exposing nothing.
>
> I think we would first want to look into extracting the core of the
> database auth that implements connection tracking, sharing, etc. such that
> it can be used by other extensions, including downstream extensions. It's a
> very common need, and implementing reliable connection tracking in a way
> that doesn't have difficult-to-diagnose race conditions is tricky.
>

Sounds like we're collecting a list of things to extract/abstract out of
the JDBC module.  We've already discussed doing that for permissions
management, and now we've got concurrency - sounds like we're moving in the
direction of some pretty serious re-architecting of the way the extension
modules are done, where those just become much more simple interfaces
between guacamole-ext (or wherever we move it to) and whatever is storing
the data.  I like it.

-Nick

>

Re: Concurrency limit for LDAP auth?

[Mike Jumper <mj...@apache.org>]

On Fri, Jan 4, 2019 at 12:59 PM Nick Couchman <vn...@apache.org> wrote:

> On Fri, Jan 4, 2019 at 10:34 AM JoelB <na...@joelbest.ca> wrote:
>
>> Is there any way to implement concurrency limits for connections/users
>> defined in LDAP? I've been unable to get LDAP and MySQL to co-operate so
>> I've switched to an LDAP-only configuration. However, I need to be able to
>> restrict users to logging in to only one machine at a time and clients to
>> only allow one connection at a time.
>>
>>
> I do not believe the connection attributes (which includes concurrency)
> work from connections defined within the LDAP authentication module.
>
>
It's not so much that they don't work as they aren't implemented. Only the
database auth implements the type of tracking necessary for these limits.

While it is true that the database auth allows these limits to be
maintained/overridden with connection attributes, leveraging connection
attributes is only necessary if these limits are to be exposed within the
user interface. If concurrency limits were implemented within LDAP, which
will presumably remain read-only, the limits could be read internally from
LDAP attributes, exposing nothing.

I think we would first want to look into extracting the core of the
database auth that implements connection tracking, sharing, etc. such that
it can be used by other extensions, including downstream extensions. It's a
very common need, and implementing reliable connection tracking in a way
that doesn't have difficult-to-diagnose race conditions is tricky.

- Mike

Re: Concurrency limit for LDAP auth?

[Nick Couchman <vn...@apache.org>]

On Fri, Jan 4, 2019 at 10:34 AM JoelB <na...@joelbest.ca> wrote:

> Is there any way to implement concurrency limits for connections/users
> defined in LDAP? I've been unable to get LDAP and MySQL to co-operate so
> I've switched to an LDAP-only configuration. However, I need to be able to
> restrict users to logging in to only one machine at a time and clients to
> only allow one connection at a time.
>
>
I do not believe the connection attributes (which includes concurrency)
work from connections defined within the LDAP authentication module.

If you really need those controls it would probably be best to figure out
the solution to whatever issue you're running into stacking LDAP with MySQL
and resolve that.

-Nick