necouchman opened a new pull request #507: URL: https://github.com/apache/guacamole-client/pull/507
The issue mentioned here deals with relaxing the username requirements for logging into Guacamole via LDAP, the core part of which seems to be allowing direct binds by AD-style usernames (UPNs) without having to search the tree using a specific username and password specified in guacamole.properties. This PR implements a couple of components that make it possible for the username entered in the Guacamole logon page to be used directly by the LDAP directory to search for itself and bind without the requirement for a separate search account. It also allows for anonymous binds (does anyone allow those anymore?!) and tries to be as backward-compatible as possible. I'm going to put the PR in draft mode at the moment - it relies on another issue to be closed (944), and, while the code here, works, I want to review it a couple of more times and make sure it is sane. It seems like it might be good to check the username coming into the logon box against some criteria - maybe similar to the changes proposed for 944, it could be based through a RegEx to make sure it's either a standard username or a UPN, or checked as a valid DN? Whatever the options, we need to make sure that we're not opening up directory services to attacks that could be propagated by abusing the username box (LDAP Injection, etc.). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
