You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Patrick L Archibald ☮ (PLA)" <pa...@gmail.com> on 2016/10/31 13:51:56 UTC
Apache front end with HTTP Basic authentication Windows AD LDAP -
username and password tokens
Hi,
Our Intranet is an Apache front end configured with HTTP Basic
authentication via LDAP to a Windows AD. Apache uses ProxyPass
websocket-tunnel to the Guac Tomcat application server.
I would like to pass the HTTP Basic authentication user name and
password to Windows 2008 R2 RDS VMs and Windows 7 VMs. I had
noauth-config.xml configured like so:
<config name="w7vdi007" protocol="rdp">
<param name="hostname" value="w7vdi007.mydomain.lcl" />
<param name="port" value="3389" />
<param name="username" value="${GUAC_USERNAME}" />
<param name="password" value="${GUAC_PASSWORD}" />
<param name="domain" value="mydomain" />
</config>
This actually worked except the GUAC_USERNAME and GUAC_PASSWORD were
the same for everyone, apparently the first one to use it.
Before I roll my own authentication, is there a BASIC_USERNAME and
BASIC_PASSWORD token?
Any other suggestions?
Thanks, PLA
Re: Apache front end with HTTP Basic authentication Windows AD LDAP -
username and password tokens
Posted by "Patrick L Archibald ☮ (PLA)" <pa...@gmail.com>.
Thanks Mike. I ended up writing an authentication extension for
Guacamole as described in Chapter 18. It sets the username and
password in the GaucamoleConfiguration from the Authentication header
in the servlet request. I see from your explanation I could have just
configured LDAP in Guac and it would have handled that. My
authentication extension does a lookup for the user's RDP server that
already existed in a database table so at least I didn't have to
modify the LDAP schema. Thanks again. Guac rocks!
R☮ck on, PLA
Patrick L Archibald
http://PatrickArchibald.com
On Sat, Nov 5, 2016 at 2:34 AM, Mike Jumper <mi...@guac-dev.org> wrote:
> On Mon, Oct 31, 2016 at 6:51 AM, Patrick L Archibald (PLA) ☮
> <pa...@gmail.com> wrote:
>>
>> Hi,
>>
>> Our Intranet is an Apache front end configured with HTTP Basic
>> authentication via LDAP to a Windows AD. Apache uses ProxyPass
>> websocket-tunnel to the Guac Tomcat application server.
>>
>> I would like to pass the HTTP Basic authentication user name and
>> password to Windows 2008 R2 RDS VMs and Windows 7 VMs.
>
>
> Guacamole will do this automatically, at least in part. If the
> "Authorization" header is present from HTTP Basic authentication,
> Guacamole's authentication system will automatically pull the username and
> password and pass them to installed authentication extensions.
>
>>
>> I had noauth-config.xml configured like so:
>
>
> If you want usernames or passwords to have any meaning, using NoAuth (the
> extension which effectively neuters the authentication system) is definitely
> not the way to go. More on this below.
>
>>
>> Before I roll my own authentication, is there a BASIC_USERNAME and
>> BASIC_PASSWORD token?
>>
>
> There are no such tokens, but if there is no true separation of identity
> between the user authenticating via HTTP Basic and the user authenticating
> with the RDP server, I think it would be a mistake to try to force such a
> separation within Guacamole. It would be better to embrace Guacamole's
> concept of a user and credentials, and allow the layers to communicate
> properly.
>
> For an arbitrary user X, you currently have the following layers, connected
> in order:
>
> 1) Proxy (configured to verify and recognize user X)
> 2) Guacamole (configured to not recognize anyone thanks to NoAuth)
> 3) RDP (configured to verify and recognize user X)
>
> The system here breaks down because the middle layer (Guacamole) has been
> explicitly configured to not care about identity. What you should be doing
> instead is:
>
> 1) Proxy (configured to verify and recognize user X)
> 2) Guacamole (configured to verify and recognize user X)
> 3) RDP (configured to verify and recognize user X)
>
> If each layer is configured to verify and recognize the user in the same
> way, then each layer will function as expected, including the behavior of
> things like the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens.
>
>> Any other suggestions?
>>
>
> I'd recommend using the LDAP authentication included with Guacamole, either
> on its own or together with a database. As long as you configure the LDAP
> authentication to use the same Windows AD server as your proxy, the
> username/password within the HTTP Basic authentication will just magically
> work, and users will not need to manually log in.
>
> You would end up with a system which re-verifies the credentials provided,
> and then pulls connection data from elsewhere. If eventually someone manages
> to access your Guacamole server without going through your authenticating
> proxy, Guacamole would itself enforce authentication, and things remain
> secure.
>
> Thanks,
>
> - Mike
>
Re: Apache front end with HTTP Basic authentication Windows AD LDAP -
username and password tokens
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Oct 31, 2016 at 6:51 AM, Patrick L Archibald (PLA) ☮ <
patrick.archibald@gmail.com> wrote:
> Hi,
>
> Our Intranet is an Apache front end configured with HTTP Basic
> authentication via LDAP to a Windows AD. Apache uses ProxyPass
> websocket-tunnel to the Guac Tomcat application server.
>
> I would like to pass the HTTP Basic authentication user name and
> password to Windows 2008 R2 RDS VMs and Windows 7 VMs.
Guacamole will do this automatically, at least in part. If the
"Authorization" header is present from HTTP Basic authentication,
Guacamole's authentication system will automatically pull the username and
password and pass them to installed authentication extensions.
> I had noauth-config.xml configured like so:
>
If you want usernames or passwords to have any meaning, using NoAuth (the
extension which effectively neuters the authentication system) is
definitely not the way to go. More on this below.
> Before I roll my own authentication, is there a BASIC_USERNAME and
> BASIC_PASSWORD token?
>
>
There are no such tokens, but if there is no true separation of identity
between the user authenticating via HTTP Basic and the user authenticating
with the RDP server, I think it would be a mistake to try to force such a
separation within Guacamole. It would be better to embrace Guacamole's
concept of a user and credentials, and allow the layers to communicate
properly.
For an arbitrary user X, you currently have the following layers, connected
in order:
1) Proxy (configured to verify and recognize user X)
2) Guacamole (configured to not recognize anyone thanks to NoAuth)
3) RDP (configured to verify and recognize user X)
The system here breaks down because the middle layer (Guacamole) has been
explicitly configured to not care about identity. What you should be doing
instead is:
1) Proxy (configured to verify and recognize user X)
2) Guacamole (configured to verify and recognize user X)
3) RDP (configured to verify and recognize user X)
If each layer is configured to verify and recognize the user in the same
way, then each layer will function as expected, including the behavior of
things like the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens.
Any other suggestions?
>
>
I'd recommend using the LDAP authentication included with Guacamole, either
on its own or together with a database. As long as you configure the LDAP
authentication to use the same Windows AD server as your proxy, the
username/password within the HTTP Basic authentication will just magically
work, and users will not need to manually log in.
You would end up with a system which re-verifies the credentials provided,
and then pulls connection data from elsewhere. If eventually someone
manages to access your Guacamole server without going through your
authenticating proxy, Guacamole would itself enforce authentication, and
things remain secure.
Thanks,
- Mike