Authentication using http

["Thompson, John H. (GSFC-606.2)[PATUXENT TECHNOLOGY PARTNERS]" <jo...@nasa.gov>]

Will storing the allowed connections in LDAP work with HTTP
header authentication"?

From reading about LDAP, it seems the answer is “no”
"if the bind attempt is successful, the set of available Guacamole
connections is queried from the LDAP directory by executing an LDAP
query as the bound user. Each Guacamole connection is represented within
the directory as a special type of group: guacConfigGroup. Attributes
associated with the group define the protocol and parameters of the
connection, and users are allowed access to the connection only if they
are associated with that group."

From reading http header, it seems the answer is "maybe .... ?"
"This authentication method must be layered on top of some other
authentication extension, such as those available from the main project
website, in order to provide access to actual connections."

The Guacamole documentation is somewhat unclear as to authentication versus authorization.

Thanks in advance for any insight you can share!

Re: Authentication using http

[Mike Jumper <mi...@guac-dev.org>]

On Fri, Nov 3, 2017 at 6:01 AM, Nick Couchman <vn...@apache.org> wrote:
>
> On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT TECHNOLOGY PARTNERS] <jo...@nasa.gov> wrote:
>>
>> Will storing the allowed connections in LDAP work with HTTP
>> header authentication"?
>>
>> ...
>>
>
> I believe the answer is no.  Mike can correct this if I'm wrong, but my understanding is that one of the security mechanisms in the LDAP module is that the bind to look for connections is done with the user who logged in.  So, if the user is logged in through another mechanism (header authentication), and particularly one that doesn't provide the password to Guacamole (header will not), then there's not going to be any way for the user who logged in to bind to the LDAP directory.
>

This is exactly correct. Part of the idea behind the LDAP
authentication is to allow the LDAP directory's own security
constraints to dictate access level. This cannot be done without a
bind.

- Mike

Re: Authentication using http

[Nick Couchman <vn...@apache.org>]

On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT
TECHNOLOGY PARTNERS] <jo...@nasa.gov> wrote:

> Will storing the allowed connections in LDAP work with HTTP
>
> header authentication"?
>
>
>
> From reading about LDAP, it seems the answer is “no”
>
> "if the bind attempt is successful, the set of available Guacamole
>
> connections is queried from the LDAP directory by executing an LDAP
>
> query as the bound user. Each Guacamole connection is represented within
>
> the directory as a special type of group: guacConfigGroup. Attributes
>
> associated with the group define the protocol and parameters of the
>
> connection, and users are allowed access to the connection only if they
>
> are associated with that group."
>
>
>
> From reading http header, it seems the answer is "maybe .... ?"
>
> "This authentication method must be layered on top of some other
>
> authentication extension, such as those available from the main project
>
> website, in order to provide access to actual connections."
>
>
>
> The Guacamole documentation is somewhat unclear as to authentication
> versus authorization.
>
>
>
> Thanks in advance for any insight you can share!
>
>
>

I believe the answer is no.  Mike can correct this if I'm wrong, but my
understanding is that one of the security mechanisms in the LDAP module is
that the bind to look for connections is done with the user who logged in.
So, if the user is logged in through another mechanism (header
authentication), and particularly one that doesn't provide the password to
Guacamole (header will not), then there's not going to be any way for the
user who logged in to bind to the LDAP directory.

Header authentication does layer nicely, though, with the JDBC module, so
the best bet is to use JDBC to store the connections.  I realize that you
may be trying to use LDAP's built-in membership mechanism to assign
users/groups to connections, so that doesn't help you there, but header +
JDBC does work.

Regards,
Nick