You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Aaron Cayard-Roberts <ca...@earlham.edu> on 2022/03/07 21:18:03 UTC

How does cas-group-attribute work?

Hello all, 

We've been using guacamole for a couple of years with CAS for authentication and it's been great. We recently upgraded our system to 1.4 and everything has been working great. 

Currently, we're handling our groups (and connections) through the database extension but I was interested in trying out the cas-group-attribute. Is this option compatible with the database extension? I was expecting either new groups to be created and/or the membership of the groups to be updated based on the cas-group-attribute values of the user's session....but that doesn't seem to be happening. 


-Aaron 

-- 
Aaron Cayard-Roberts 
Senior Systems and Security Administrator 
Information Technology Services 
Earlham College 
801 National Road West 
Richmond, IN 47374 
Phone: 765-983-1851

Re: How does cas-group-attribute work?

Posted by Nick Couchman <vn...@apache.org>.

On Mon, Mar 7, 2022 at 4:18 PM Aaron Cayard-Roberts <ca...@earlham.edu>
wrote:

> Hello all,
>
> We've been using guacamole for a couple of years with CAS for
> authentication and it's been great.  We recently upgraded our system to 1.4
> and everything has been working great.
>
> Currently, we're handling our groups (and connections) through the
> database extension but I was interested in trying out the cas-group-attribute.
> Is this option compatible with the database extension?   I was expecting
> either new groups to be created and/or the membership of the groups to be
> updated based on the cas-group-attribute values of the user's
> session....but that doesn't seem to be happening.
>
>
Yes, the extension is "compatible" - really, stackable is the proper term -
with the database extension. That said, it probably won't work in exactly
the way you're expecting it to work. Users who log in via CAS can be
automatically created in the database extension, and you can also create
matching groups in the database extension and apply permissions to those
groups. However, the database extension won't automatically update its
version of group membership with the members that come through in the CAS
extension - rather, this will be evaluated dynamically and transparently
when the user logs in. In this way, there's no way for an admin in
Guacamole to see all of the members of a group that is populated via CAS
membership.

-Nick