You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Nick Couchman (JIRA)" <ji...@apache.org> on 2018/10/02 01:28:00 UTC
[jira] [Commented] (GUACAMOLE-524) Allow LDAP attributes to be used
as token
[ https://issues.apache.org/jira/browse/GUACAMOLE-524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16634828#comment-16634828 ]
Nick Couchman commented on GUACAMOLE-524:
-----------------------------------------
{quote}
It universally allows arbitrary attributes to be set even though those attributes are not supported nor persisted. The specification for setAttributes() requires that this not be done so that extensions can detect whether a custom attribute has been successfully set.
{quote}
To clarify what you're saying, in order to use the Attributes interface as its designed (contracted), we would have to specifically identify "Supported" attributes within the LDAP authentication extension that we intend to allow/support. If I'm reading this correctly, we actually cannot use the Attributes interface for arbitrary (that is, admin-configured) attributes?
Or would it be possible to read in from guacamole.properties the user-configured attribute names and define those as the "Supported" attributes dynamically, and then modify the getAttributes() and setAttributes() parameters to handle appropriately?
{quote}
All attributes within the map are replaced with each call to setAttributes(). The specification for setAttributes() explicitly states that attributes not within the given map must be left untouched.
{quote}
Depending on the answer to the first item, this may be moot, but assuming we can read in the user-configured attribute names as "Supported" attributes and still use this interface, this would mean that setAttributes() would need to go through and add each of these attributes to the map. I'm guessing this would be similar to the code that was used in some of the other modules to do things like store TOTP extension information in JDBC?
> Allow LDAP attributes to be used as token
> -----------------------------------------
>
> Key: GUACAMOLE-524
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-524
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Jared Frees
> Priority: Minor
> Fix For: 2.0.0
>
>
> Add support for using LDAP attributes as tokens for connection configuration. For example, map the attribute 'workstationName' of the current logged on user to a token USER_WORKSTATION that could then be used in a connection profile. This would allow using a single connection and for the destination to be determined by the LDAP attribute. This mapping should be configurable and could be used in a connection definition such as the following:
>
> dn: cn=Example Connection,ou=groups,dc=example,dc=net
> objectClass: guacConfigGroup
> objectClass: groupOfNames
> cn: Example Connection
> guacConfigProtocol: rdp
> guacConfigParameter: hostname=${USER_WORKSTATION}
> guacConfigParameter: username=${GUAC_USERNAME}
> guacConfigParameter: password=${GUAC_PASSWORD}
> member: cn=user1,ou=people,dc=example,dc=net
> member: cn=user2,ou=people,dc=example,dc=net
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)