CAS user attributes and logout issues

[xia <si...@alpert.org>]

Hi,

Guacamole is an incredible project - LOVE IT - ...but recently I've strayed
into trying to make it work with CAS...I'm thinking I may have wandered into
a dark forgotten corner...

Two questions...I can't seem to resolve...

1. I've configured the CAS extension (with Clearpass).  Is there a way to
get the extension to pull user attributes (such as group membership) from
the CAS session (they are being sent and logged by Guacamole, but don't seem
to resolve as group membership) or pull them from LDAP?   

The database seems to work (mysql, and that's where my connections are) but
I'd prefer to not have to replicate group memberships in the database...my
current LDAP-based Guacamole has groups and connections in the database, but
pulls group associations with the LDAP-authentication. 

2. Logout with CAS does not seem to be acting sane (inconsistent,
occasionally bounces back and forth between CAS and Guacamole, sometimes
lands on CAS login...never quite logging the user out, often resulting in
Guacamole errors), yet I see no settings that pertain to logout...what am I
missing?  Please help...

Best uRegards,

Stew




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: CAS user attributes and logout issues

[xia <si...@alpert.org>]

Hi Nick-

Thanks for the reply.

Since it needed doing, and I wanted it...I figured I'd take a crack at doing
it.  I've created a pull request for a proposed and functioning solution to
PR GUACAMOLE-793.  It works (at least for my use-case)!  Needs doc, and
probably a few other things (which I suppose will come with review).  

For now it adds two more configuration options to guacamole.properies:

1. To set the attribute used for group membership:
cas-group-attribute: memberOf

2. To "clean up" DNs when the backing store for CAS is LDAP:
cas-group-dn-format: CN=%s,OU=People,DC=example,DC=com
This option allows the extention to receive a full DN specification from CAS
such as "CN=foo,OU=People,DC=example,DC=com" and reduce it to "foo."  This
parameter should be omitted for CAS that isn't LDAP-backed.

Now if I could figure out how to make Logout work, I can get on with
deploying this to production...would you have any guidance on an
architecturally acceptable way to implement that?  How did you do it when
you ran CAS in production?

--Stew



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: CAS user attributes and logout issues

[Nick Couchman <vn...@apache.org>]

On Wed, Nov 27, 2019 at 1:27 PM xia <si...@alpert.org> wrote:

> Ok, I may have answered my own questions on this by finding the Jira site
> (I
> apologize for posting before looking more carefully...) and noting that
> there are PRs that cover some/most of this.  It appears that the only
> handling of CAS attributes is to convert them to tokens, so no handling of
> groups (wondering if I can somehow make connection decisions based on
> tokens...something to play with).  Still wonder if there's a way to pull
> attributes from LDAP...(I'm guessing not yet) ¯\_(ツ)_/¯
>
>
Yep, you are correct - the CAS extension needs to implement attributes, and
there is a PR out there that handles this.  It should also be possible to
implement group handling in the CAS module - basically just need to allow
the config file to specify what CAS attribute will contain group names and
parse them out, and then implement the bits that would provide that
informatoin to other components.  Very doable, just needs to be done.


> And...no logout (yet)...Is anyone actually using any of the SSO modules in
> a
> production environment? If so, I'd like to hear what they do... That does
> seem to be a fairly significant security defect...
>
>
I did use CAS for a while in production; however, I was doing it without
ClearPass and I found it more useful to just authenticate straight to AD
and have the user password available as a token to use when logging into
RDP servers.  I do intend to go back and re-work things with CAS +
ClearPass + Guacamole so that I have the best of all three worlds, just
have not gotten around to it, yet.

-Nick

Re: CAS user attributes and logout issues

[xia <si...@alpert.org>]

Ok, I may have answered my own questions on this by finding the Jira site (I
apologize for posting before looking more carefully...) and noting that
there are PRs that cover some/most of this.  It appears that the only
handling of CAS attributes is to convert them to tokens, so no handling of
groups (wondering if I can somehow make connection decisions based on
tokens...something to play with).  Still wonder if there's a way to pull
attributes from LDAP...(I'm guessing not yet) ¯\_(ツ)_/¯

And...no logout (yet)...Is anyone actually using any of the SSO modules in a
production environment? If so, I'd like to hear what they do... That does
seem to be a fairly significant security defect...



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org