You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Idhren <ro...@labri.fr> on 2020/08/27 08:02:42 UTC

CAS v1.2 issue + authorization question

Hello !

I have one issue with CAS authentication and one question about
authorization.
I installed a guacamole with CAS authentication. We tried SAML but without
success because our IDP need some metadata from Guacamole itself. I decided
to use CAS instead.

The authentication works great but using the 1.1 version of the plugin. I
have a blank page when I use the 1.2 version. I guess there is an issue with
the latest ?
I extracted the .jar file and found that some files seems to be missing
comparing to v1.1. Am I wrong ?

With v1.2, the only error I have is with httpd (working as a proxy):

/[Thu Aug 27 09:18:18.821932 2020] [proxy_http:error] [pid 3681:tid
140035865179904] (70008)Partial results are valid but processing is
incomplete: [client <CLIENT_IP>:37194] AH01110: error reading response,
referer: https://<SERVER_URL>/
/
I increased the log level, see attached:  httpd_error_debug.txt
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t888/httpd_error_debug.txt>  
I have no log from tomcat (even with a trace loglevel)

It works fine with v1.1 of the plugin.

So... The thing is: I want to add some authorization behind that
authentication.
I tried to export some attributes, but the fields in Guacamole settings are
still blank after the login. (I thought the mysql-auto-create-accounts:
true" option would be enough)

Is there a way to give authorization by default to some users after they
login using CAS ?

My goal is to :
User Y log in using CAS --> auto create account in mysql with imported
attribute from CAS --> authorize connection to X workstation for Y user. 
I will use this Guacamole installation for hundreds of people... I would
like to avoid creating/editing each user and connection "manually".
LDAP connection with modified schema is not possible due to political reason
:(

Is this possible using CAS ? Or only using LDAP authentication ? Am I
missing something ?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org