dynamic param values for user-mapping.xml

[Vieri <re...@yahoo.com>]

Hi,

Is it possible to use the output of external scripts in order to define specific variables in user-mapping.xml.

For instance, suppose I have something like this:

<user-mapping>

    <authorize username="test" password="test">

        <connection name="Terminal Server 2012">
            <protocol>rdp</protocol>
            <param name="hostname">SCRIPT_GENERATED_OUTPUT</param>
            <param name="ignore-cert">true</param>
            <param name="security">nla</param>
            <param name="username">SCRIPT_GENERATED_OUTPUT</param>
            <param name="password"> SCRIPT_GENERATED_OUTPUT</param>
            <param name="domain"> SCRIPT_GENERATED_OUTPUT</param>
        </connection>

    </authorize>

</user-mapping>

I know I could try to use the LDAP/AD authenticator extension, but:

1) AD is not officially supported, and I'd need to modify the schema with something like this: https://glyptodon.com/jira/secure/attachment/13006/Guacamole%20LDAP%20Authentication%20with%20Active%20Directory.pdf

2) I don't know yet if it is possible/easy to manage the NLA guacConfigParameter values for each user, ie. would I need to specify username, password and domain for each group when using NLA as security mode? That would mean I'd need to create a connection object for each AD user! Or does Guacamole try to use the same username and password as the ones used for the inital LDAP/AD bind even when using NLA?

Also note that I'd like the hostname to be dynamic too as I have a script that checks several things in order to determine which RDP server a user should connect to (eg. checks ressource usage on every server, checks whether a previously connected user session was inadvertantly cut off, etc., and finally outputs the name or IP address of the RDP server).

Thanks,

Vieri

Re: dynamic param values for user-mapping.xml

[Mike Jumper <mj...@apache.org>]

On Tue, Apr 23, 2019 at 9:09 AM Nick Couchman <vn...@apache.org> wrote:

> ...
>
>
>> Also note that I'd like the hostname to be dynamic too as I have a script
>> that checks several things in order to determine which RDP server a user
>> should connect to (eg. checks ressource usage on every server, checks
>> whether a previously connected user session was inadvertantly cut off,
>> etc., and finally outputs the name or IP address of the RDP server).
>>
>
> This would more difficult to do, and would probably be the right place for
> a custom authentication extension that does these checks and keeps track of
> things for you.  A script would work with the user-mapping.xml file, but,
> again, that would lack authentication integration with any of the other
> modules, so I think that would probably be less helpful than writing an
> extension.
>

This is essentially what we've done at my day job to provide a live demo.
We don't use user-mapping.xml, but we store a partially variable set of
connection parameters within a static JSON file and leverage custom
parameter tokens to define the variable portions, such as the IP address of
the machine chosen to fulfill the connection request and the username
assigned to the connection. The selection of machine is driven by sampling
system load, similar to what Vieri is describing.

It does require writing an extension but is definitely doable.

- Mike

Re: dynamic param values for user-mapping.xml

[Nick Couchman <vn...@apache.org>]

On Tue, Apr 23, 2019 at 6:03 AM Vieri <re...@yahoo.com> wrote:

> Hi,
>
> Is it possible to use the output of external scripts in order to define
> specific variables in user-mapping.xml.
>

Yes, this is possible; however, my question would be, why do this instead
of just setting up the JDBC module?  It seems like a lot of effort to go to
in order to get this working in the user-mapping.xml file, which the JDBC
module would definitely allow you to use Parameter Tokens for much of this.


> I know I could try to use the LDAP/AD authenticator extension, but:
>
> 1) AD is not officially supported, and I'd need to modify the schema with
> something like this:
> https://glyptodon.com/jira/secure/attachment/13006/Guacamole%20LDAP%20Authentication%20with%20Active%20Directory.pdf
>
> 2) I don't know yet if it is possible/easy to manage the NLA
> guacConfigParameter values for each user, ie. would I need to specify
> username, password and domain for each group when using NLA as security
> mode? That would mean I'd need to create a connection object for each AD
> user! Or does Guacamole try to use the same username and password as the
> ones used for the inital LDAP/AD bind even when using NLA?
>
>
I would suggest using LDAP/AD + JDBC for this.  That way you can have users
authenticate with LDAP/AD, but you don't have to change the Active
Directory schema.  Then you can use the Parameter tokens, as you already
mentioned, to fill in username and password for NLA.  The parameter tokens
(${GUAC_USERNAME and ${GUAC_PASSWORD}) won't work with the user-mapping.xml
file - you cannot use these values in that file.


> Also note that I'd like the hostname to be dynamic too as I have a script
> that checks several things in order to determine which RDP server a user
> should connect to (eg. checks ressource usage on every server, checks
> whether a previously connected user session was inadvertantly cut off,
> etc., and finally outputs the name or IP address of the RDP server).
>

This would more difficult to do, and would probably be the right place for
a custom authentication extension that does these checks and keeps track of
things for you.  A script would work with the user-mapping.xml file, but,
again, that would lack authentication integration with any of the other
modules, so I think that would probably be less helpful than writing an
extension.

-Nick

AW: dynamic param values for user-mapping.xml

[Joachim Lindenberg <jo...@lindenberg.one>]

Hi Vieri,
I´d expect Mike or Nick to cite https://guacamole.apache.org/faq/#integrate-auth... and I can confirm it is doable.
Best Regards, Joachim

-----Ursprüngliche Nachricht-----
Von: Vieri <re...@yahoo.com> 
Gesendet: Tuesday, 23 April 2019 13:53
An: user@guacamole.apache.org
Betreff: Re: dynamic param values for user-mapping.xml

 
On Tuesday, April 23, 2019, 12:03:29 PM GMT+2, Vieri <re...@yahoo.com> wrote: 
>
>            <param name="hostname">SCRIPT_GENERATED_OUTPUT</param>

I may need to use ${GUAC_USERNAME} and ${GUAC_PASSWORD} within the LDAP/AD connection object. That may solve part of my question.
However, I still don't know how to dynamically change "hostname".

Vieri

Re: dynamic param values for user-mapping.xml

[Vieri <re...@yahoo.com>]

 
On Tuesday, April 23, 2019, 12:03:29 PM GMT+2, Vieri <re...@yahoo.com> wrote: 
>
>            <param name="hostname">SCRIPT_GENERATED_OUTPUT</param>

I may need to use ${GUAC_USERNAME} and ${GUAC_PASSWORD} within the LDAP/AD connection object. That may solve part of my question.
However, I still don't know how to dynamically change "hostname".

Vieri