On Fri, Feb 2, 2018 at 01:42 Mike Jumper <mike.jum...@guac-dev.org> wrote:
> Hello all, > > I'm beginning to think we should look to moving away from using the old > "user-mapping.xml" mechanism, and migrate toward some non-XML (JSON? YAML? > both?) format with more modern guac features. Sounds good to me. I like the idea of JSON - it's popular right now, which means there are plenty of tools that can read it and manipulate it. > > The "user-mapping.xml" mechanism has existed for almost as long as > Guacamole itself, but suffers from some problems: > > 1) It's XML, and as such is a bit overly verbose. > 2) It relies on unsalted MD5 for password storage, which is questionable at > best. > 3) It's not recommended for production use, aimed mainly at getting things > running quickly for a proof-of-concept that will eventually be migrated to > the database, etc. ... but this is only known anecdotally. Our > documentation still demonstrates the use of "user-mapping.xml" as if it's > the main way to configure things. > 4) It's built off the SimpleAuthenticationProvider version of the extension > API, which lacks support for the newer objects and cannot delegate > authentication to something else. There have been a few cases where users > have tried to combine "user-mapping.xml" with LDAP or similar, and have ran > into problems as a result. Yeah, this would be nice. > > I'd like for things to move in a direction where the default, built-in > authentication mechanism is one which *can* be used in a production > environment, with the use of that authentication mechanism actually being > recommendable for cases not needing the complexity of a database or LDAP, > and which is built upon a format which is more practical than XML. I've also been trying to get a JDBC module working for a file-backed database that would be relatively easy to set up for people trying to get going quickly. Unfortunately that hit a snag with a bug in the SQLite JDBC driver, but sounds like this might be a better direction! -Nick
