You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Nick Couchman (JIRA)" <ji...@apache.org> on 2019/01/02 01:30:00 UTC
[jira] [Commented] (GUACAMOLE-686) HTTP Header Auth ignores LDAP
configuration
[ https://issues.apache.org/jira/browse/GUACAMOLE-686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16731721#comment-16731721 ]
Nick Couchman commented on GUACAMOLE-686:
-----------------------------------------
You can't - this configuration won't work, for a couple of reasons. The LDAP module uses LDAP's built-in security and access control to determine what connections a user has access to. In order to accomplish this, the LDAP module first authenticates with the search user specified in the configuration (if applicable), and then authenticates with the information (username and password) of the user who is logging in. It uses the search to attempt to locate the user DN in the LDAP tree, and, failing that, computes the DN of the user based on the username and the user base DN.
Because the LDAP module functions this way, it _requires_ the password to be present during authentication, and, if you're using the Header authentication module, the password is not available to Guacamole because the authentication is being done outside of Guacamole and Guacamole is trusting the authentication provided outside of the module.
Even with another module, like CAS, that can provide the password back to Guacamole (CAS uses a feature called ClearPass to do this), I don't believe this configuration would work, because the user is already authenticated prior to the LDAP module being called, so the LDAP module will not attempt to bind under that user account due to the prior successful authentication.
> HTTP Header Auth ignores LDAP configuration
> -------------------------------------------
>
> Key: GUACAMOLE-686
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-686
> Project: Guacamole
> Issue Type: Bug
> Reporter: zach
> Priority: Minor
>
> My guacamole server uses LDAP and works when logging in using the web portal. I put a single-sign-on server in front of it which authenticates the users for me, and then forwards the user to guacamole using HTTP-Header-Auth. When this header auth successfully logs in, no connections are visible, and no lookups are performed against my LDAP server.
> How do I tell guacamole to use HTTP-Header-Auth for the login, and then perform LDAP queries to discover connections available to the logged-in user?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)