LDAP(s) logoff's

[Obuno <ob...@protonmail.com.INVALID>]

Hi there all,

I'm testing Guacamole, all working very great. I've integrated with an LDAPS AD system and that works all well, auths are fine etc etc.
My issue is that in the occurrence of a logoff and/or session timeout, I can't find a way to send a logoff event towards the AD/LDAP.

The idea behind this requirement is to provide further Authorizations (NGFWs) using a 3rd party SSO scheme which gather users login/logoff done at AD.
Hence, users belonging to the correct guacamole tied groups pop's up, although never disappears in the SSO scheme.

Any help/idea would be greatly appreciated.
Thanks, kind regards

Re: LDAP(s) logoff's

[Nick Couchman <vn...@apache.org>]

On Fri, Mar 12, 2021 at 11:14 AM Obuno <ob...@protonmail.com.invalid> wrote:

> Hi Nick,
>
> Thanks a lot for your time, and thanks to all the developers!! Amazing
> project really !! Nice to read that SSOff is around the corner.
>
> During my testings I've shuffled around with RADIUS as well, which could
> have helped me although through RADIUS Accounting, though I couldn't find
> much documentation around feasibility at all. RADIUS worked fine though.
> Would you know if there might be any "script-able" part upon Guacamole
> logon/logoff events? I could interface our SSO scheme through API calls.
>
>
Yeah, the RADIUS module does not have Accounting implemented right now,
either, so that's not going to help you much without some additional work
in implementing that.

And, at this point, there is nothing implemented for "script-able" events
for log on and log off. This is part of the goal of the SLO support, but
also would require either modifications to an existing extension, or a
separate extension.

-Nick

Re: LDAP(s) logoff's

[Obuno <ob...@protonmail.com.INVALID>]

Hi Nick,

Thanks a lot for your time, and thanks to all the developers!! Amazing project really !! Nice to read that SSOff is around the corner.

During my testings I've shuffled around with RADIUS as well, which could have helped me although through RADIUS Accounting, though I couldn't find much documentation around feasibility at all. RADIUS worked fine though.
Would you know if there might be any "script-able" part upon Guacamole logon/logoff events? I could interface our SSO scheme through API calls.

Thanks again,
Kind regards,
o.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, March 12, 2021 4:43 PM, Nick Couchman <vn...@apache.org> wrote:

> On Fri, Mar 12, 2021 at 5:39 AM Obuno <ob...@protonmail.com.invalid> wrote:
>
>> Hi there all,
>>
>> I'm testing Guacamole, all working very great. I've integrated with an LDAPS AD system and that works all well, auths are fine etc etc.
>> My issue is that in the occurrence of a logoff and/or session timeout, I can't find a way to send a logoff event towards the AD/LDAP.
>
> Single Sign Off is something currently being worked as a whole in Guacamole Client, and there are several JIRA issues to cover this, mostly for the various SSO providers, but also a more generic one for being able to fire logout events for extensions that need to do that. However, there's nothing concrete implemented today.
>
>> The idea behind this requirement is to provide further Authorizations (NGFWs) using a 3rd party SSO scheme which gather users login/logoff done at AD.
>> Hence, users belonging to the correct guacamole tied groups pop's up, although never disappears in the SSO scheme.
>
> Aside from the challenge of Guacamole Client being able to send SLO events, which is being addressed, the other challenge I see here is that I don't know of a "Logout" call in LDAP, outside of just unbinding, which is generally done automatically when the LDAP connection is shut down. What you're doing would likely require some custom LDAP calls that are likely to be fairly unique to your implementation and that aren't going to be widely used or supported by more "stock" versions of directory servers. If we can come up with a way to integrate it into the code such that it's something you could easily turn on required, I'm not opposed. That said, it is going to take some coding - there's nothing implemented today that would allow you to do this - and this is fairly high-level and theoretical. Deciding on a direction for this would require some more detail on what you're trying to do and how it works with AD.
>
> -Nick

Re: LDAP(s) logoff's

[Nick Couchman <vn...@apache.org>]

On Fri, Mar 12, 2021 at 5:39 AM Obuno <ob...@protonmail.com.invalid> wrote:

> Hi there all,
>
> I'm testing Guacamole, all working very great. I've integrated with an
> LDAPS AD system and that works all well, auths are fine etc etc.
> My issue is that in the occurrence of a logoff and/or session timeout, I
> can't find a way to send a logoff event towards the AD/LDAP.
>
>
Single Sign Off is something currently being worked as a whole in Guacamole
Client, and there are several JIRA issues to cover this, mostly for the
various SSO providers, but also a more generic one for being able to fire
logout events for extensions that need to do that. However, there's nothing
concrete implemented today.


> The idea behind this requirement is to provide further Authorizations
> (NGFWs) using a 3rd party SSO scheme which gather users login/logoff done
> at AD.
> Hence, users belonging to the correct guacamole tied groups pop's up,
> although never disappears in the SSO scheme.
>
>
Aside from the challenge of Guacamole Client being able to send SLO events,
which is being addressed, the other challenge I see here is that I don't
know of a "Logout" call in LDAP, outside of just unbinding, which is
generally done automatically when the LDAP connection is shut down. What
you're doing would likely require some custom LDAP calls that are likely to
be fairly unique to your implementation and that aren't going to be widely
used or supported by more "stock" versions of directory servers. If we can
come up with a way to integrate it into the code such that it's something
you could easily turn on required, I'm not opposed. That said, it is going
to take some coding - there's nothing implemented today that would allow
you to do this - and this is fairly high-level and theoretical. Deciding on
a direction for this would require some more detail on what you're trying
to do and how it works with AD.

-Nick