On Fri, Feb 2, 2018 at 01:42 Mike Jumper <mike.jum...@guac-dev.org> wrote:

> Hello all,
> I'm beginning to think we should look to moving away from using the old
> "user-mapping.xml" mechanism, and migrate toward some non-XML (JSON? YAML?
> both?) format with more modern guac features.

Sounds good to me. I like the idea of JSON - it's popular right now, which
means there are plenty of tools that can read it and manipulate it.

> The "user-mapping.xml" mechanism has existed for almost as long as
> Guacamole itself, but suffers from some problems:
> 1) It's XML, and as such is a bit overly verbose.
> 2) It relies on unsalted MD5 for password storage, which is questionable at
> best.
> 3) It's not recommended for production use, aimed mainly at getting things
> running quickly for a proof-of-concept that will eventually be migrated to
> the database, etc. ... but this is only known anecdotally. Our
> documentation still demonstrates the use of "user-mapping.xml" as if it's
> the main way to configure things.
> 4) It's built off the SimpleAuthenticationProvider version of the extension
> API, which lacks support for the newer objects and cannot delegate
> authentication to something else. There have been a few cases where users
> have tried to combine "user-mapping.xml" with LDAP or similar, and have ran
> into problems as a result.

Yeah, this would be nice.

> I'd like for things to move in a direction where the default, built-in
> authentication mechanism is one which *can* be used in a production
> environment, with the use of that authentication mechanism actually being
> recommendable for cases not needing the complexity of a database or LDAP,
> and which is built upon a format which is more practical than XML.

I've also been trying to get a JDBC module working for a file-backed
database that would be relatively easy to set up for people trying to get
going quickly.  Unfortunately that hit a snag with a bug in the SQLite JDBC
driver, but sounds like this might be a better direction!


Reply via email to