MySQL User disabling enhancement

[Paul Cantle]

Hi All,

I originally raised this query here - 
https://sourceforge.net/p/guacamole/discussion/1110834/thread/2f715af2/ but 
then read that those forums aren’t really used for help these days.

I will add in my question here to save clicking the link. Hoping someone can 
offer some help.

Thanks all.

I'm currently using Guacamole 0.9.9 on CentOS with the MySQL extension. All is 
working well. I'm not however using the MySQL extension for authentication, I'm 
only using it for authorisation. I'm using SSO to handle the authentication 
side of things. This is also working fine.
The way the SSO plugin works is based on "username matching" to the user in the 
DB. If the names match, a login to the site is permitted, else it's denied and 
the user is shown the login screen. To that end, because the DB isn't handling 
authentication, disabling a user in the Guacamole GUI has no effect.

I'm wondering if I can enhance the following file: 
org/glyptodon/guacamole/auth/jdbc/user/UserMapper.xml to change what happens 
when a user is disabled:

Currently, this seems key:


UPDATE guacamole_user
SET password_hash = #{object.passwordHash,jdbcType=BINARY},
password_salt = #{object.passwordSalt,jdbcType=BINARY},
disabled = #{object.disabled,jdbcType=BOOLEAN},
expired = #{object.expired,jdbcType=BOOLEAN},
access_window_start = #{object.accessWindowStart,jdbcType=TIME},
access_window_end = #{object.accessWindowEnd,jdbcType=TIME},
valid_from = #{object.validFrom,jdbcType=DATE},
valid_until = #{object.validUntil,jdbcType=DATE},
timezone = #{object.timeZone,jdbcType=VARCHAR}
WHERE user_id = #{object.objectID,jdbcType=VARCHAR}


What I would like is to rename the user to disabled_ when the disabled 
flag is set. I know I can script this, but I'm trying to be "clever" by keeping 
it in the GUI. Something like the following SQL statement would probably do the 
job:

UPDATE guacamole_user SET user_id = concat('disabled_', user_id) WHERE 
disabled=1 AND user_id NOT LIKE 'disabled_%'

If I made that compatible with the above XML, would you suggest adding it as an 
entirely new statement within the  tags or try to make it fit with the 
existing statement? Is there a better place for it?

Either way, would it work, or would it possibly break everything? Happy to 
test, but would just like some thoughts from the experts if that's possible
Thanks All.
Paul

Re: Client confusion

[Chris]

Hi Matthew,

(I'm just on the mailing list and not associated with the Guac' team).

Bob nailed this one further up in the thread - reverse proxy.  I have a 
Guac' server sitting in my DMZ and it's accessible via the web through a 
reverse Apache proxy server.  So, HTTPS to my web server (accessible 
from the Internet) then it reverse proxies that traffic via HTTP 
internally (on port ).  Rinse and repeat for the other sites.  
Personally (if I understand your scenario) I'd connect the sites via a 
VPN and route the traffic to a single Guac' server.


Rgds

C


On 15/09/16 15:51, Matthew Strowbridge wrote:

Good morning everyone,

Perhaps if I described my test scenario it will help to better explain 
what I am trying to accomplish and hopefully give you, the experts, 
the information necessary to tell me if this is possible and if so how 
to go about it.


I have Guacd, Guacamole Server, and Mysql-server running in Docker 
containers on a colocated physical server with direct internet access 
and public IP. Guacamole server utilizing mysql authentication. I have 
port 8080 mapped into port 8080 of my Guacamole Server container. My 
interest would be in being able to remote access machines running 
various operating systems at various locations, some behind firewalls 
some being servers directly accessible via public IP.


I have no issues setting up ssh configured devices in my Guac Home to 
connect to publicly accessible servers on the internet. The only 
benefit this gives me is a single location from which to access these 
servers via http connection to my Guac server. Now say for instance I 
want to use Guacamole to access client workstations and servers 
running various OS at their office locations behind firewalls. In 
order to use Guacamole it seems as though I would have to possibly run 
a Guacamole server at each location with a single port forward on the 
firewall into port 8080 of the Guac server or a reverse proxy at each 
location routing request from my Guac server to the intended machines 
on the internal network is this correct or am I looking at this the 
wrong way?


Thank you all for your time and information.

Regards,

*Matthew Strowbridge*
*On Call Technology Services Inc.*
*(o)845.477.5208*
*(m)845.673.9678*
*(e)mjs@oct.services *
*http://www.oct.services*




On Sep 15, 2016, at 9:48 AM, Matthew Strowbridge > wrote:


Good morning Andrew and Bob,

First off Andrew thank you for your reply, however it added to my 
confusion somewhat. You mentioned "once you configured your devices 
to talk with Guac”, this doesn’t jive with me as in my installation 
it is Guac that talks to the devices being that there is no client on 
the devices to talk to Guac.


Bob, thank you as well for your input and again I must be looking at 
this incorrectly. Based on the reverse proxy scenario, say I have “X” 
number of sites with multiple devices behind a firewall at each site. 
Is it your recommendation to run a reverse proxy at each site in 
order to route requests from Guac to the devices without port 
forwarding through the firewall?


Regards,

*Matthew Strowbridge*
*On Call Technology Services Inc.*
*(o)845.477.5208*
*(m)845.673.9678*
*(e)mjs@oct.services *
*http://www.oct.services *

  




On Sep 14, 2016, at 10:42 PM, Andrew Sedlak > wrote:


Hi,
I think the whole point of Guacamole is that it's a centralized 
system, allowing access through any web browser without the need for 
a client. Basically once you've configured all your devices to talk 
with Guacamole, you can access them all from a central point.
Myself I have a small setup when I have devices from two locations 
all coming together in Guacamole. This does require some ports to be 
opened and forwarded but once that's done, it's a fire and forget 
sort of deal.


Summary: This product is supposed to eliminate the need for client 
software.


On 15/09/2016 06:41, Matthew Strowbridge wrote:

Hello,

Guacamole newbie here and I have client questions I just can’t find 
answers to. This may not be how to go about asking but I am going 
to give it a shot.


I have Guacamole server up and running and have created an ssh 
connection to a colocated server with direct internet connection 
and dedicated IP address. I am able to connect to it through my 
Guacamole Home no problem.


What confuses me is if there is not a client I can run on computers 
behind a router/firewall that connects to Guacamole server and 
allows me to connect to them through the Guacamole server as well, 
what is the 

Re: Client confusion

[Matthew Strowbridge]

Good morning everyone,

Perhaps if I described my test scenario it will help to better explain what I 
am trying to accomplish and hopefully give you, the experts, the information 
necessary to tell me if this is possible and if so how to go about it. 

I have Guacd, Guacamole Server, and Mysql-server running in Docker containers 
on a colocated physical server with direct internet access and public IP. 
Guacamole server utilizing mysql authentication. I have port 8080 mapped into 
port 8080 of my Guacamole Server container. My interest would be in being able 
to remote access machines running various operating systems at various 
locations, some behind firewalls some being servers directly accessible via 
public IP. 

I have no issues setting up ssh configured devices in my Guac Home to connect 
to publicly accessible servers on the internet. The only benefit this gives me 
is a single location from which to access these servers via http connection to 
my Guac server. Now say for instance I want to use Guacamole to access client 
workstations and servers running various OS at their office locations behind 
firewalls. In order to use Guacamole it seems as though I would have to 
possibly run a Guacamole server at each location with a single port forward on 
the firewall into port 8080 of the Guac server or a reverse proxy at each 
location routing request from my Guac server to the intended machines on the 
internal network is this correct or am I looking at this the wrong way?

Thank you all for your time and information.

Regards,

Matthew Strowbridge
On Call Technology Services Inc.
(o)845.477.5208
(m)845.673.9678
(e)mjs@oct.services 
http://www.oct.services 

  
 

> On Sep 15, 2016, at 9:48 AM, Matthew Strowbridge  wrote:
> 
> Good morning Andrew and Bob, 
> 
> First off Andrew thank you for your reply, however it added to my confusion 
> somewhat. You mentioned "once you configured your devices to talk with Guac”, 
> this doesn’t jive with me as in my installation it is Guac that talks to the 
> devices being that there is no client on the devices to talk to Guac.
> 
> Bob, thank you as well for your input and again I must be looking at this 
> incorrectly. Based on the reverse proxy scenario, say I have “X” number of 
> sites with multiple devices behind a firewall at each site. Is it your 
> recommendation to run a reverse proxy at each site in order to route requests 
> from Guac to the devices without port forwarding through the firewall?
> 
> Regards,
> 
> Matthew Strowbridge
> On Call Technology Services Inc.
> (o)845.477.5208
> (m)845.673.9678
> (e)mjs@oct.services 
> http://www.oct.services 
> 
>   
>  
> 
>> On Sep 14, 2016, at 10:42 PM, Andrew Sedlak > > wrote:
>> 
>> Hi,
>> I think the whole point of Guacamole is that it's a centralized system, 
>> allowing access through any web browser without the need for a client. 
>> Basically once you've configured all your devices to talk with Guacamole, 
>> you can access them all from a central point.
>> Myself I have a small setup when I have devices from two locations all 
>> coming together in Guacamole. This does require some ports to be opened and 
>> forwarded but once that's done, it's a fire and forget sort of deal.
>> 
>> Summary: This product is supposed to eliminate the need for client software.
>> 
>> On 15/09/2016 06:41, Matthew Strowbridge wrote:
>>> Hello,
>>> 
>>> Guacamole newbie here and I have client questions I just can’t find answers 
>>> to. This may not be how to go about asking but I am going to give it a shot.
>>> 
>>> I have Guacamole server up and running and have created an ssh connection 
>>> to a colocated server with direct internet connection and dedicated IP 
>>> address. I am able to connect to it through my Guacamole Home no problem. 
>>> 
>>> What confuses me is if there is not a client I can run on computers behind 
>>> a router/firewall that connects to Guacamole server and allows me to 
>>> connect to them through the Guacamole server as well, what is the point? If 
>>> I have to create a connection providing an IP address and port to connect 
>>> through on my Guacamole Home and then port forward from my firewall to the 
>>> desired computer to be able to access it, I can just use RDP, SSH, or 
>>> whatever native client to connect at that point. Am I missing something? Is 
>>> there a client after all that I can run on say a Windows machine behind a 
>>> firewall and still connect to it via my Guacamole server similar to a 
>>> LogMeIn or Teamviewer service?
>>> 

Re: Client confusion

[Matthew Strowbridge]

Good morning Andrew and Bob, 

First off Andrew thank you for your reply, however it added to my confusion 
somewhat. You mentioned "once you configured your devices to talk with Guac”, 
this doesn’t jive with me as in my installation it is Guac that talks to the 
devices being that there is no client on the devices to talk to Guac.

Bob, thank you as well for your input and again I must be looking at this 
incorrectly. Based on the reverse proxy scenario, say I have “X” number of 
sites with multiple devices behind a firewall at each site. Is it your 
recommendation to run a reverse proxy at each site in order to route requests 
from Guac to the devices without port forwarding through the firewall?

Regards,

Matthew Strowbridge
On Call Technology Services Inc.
(o)845.477.5208
(m)845.673.9678
(e)mjs@oct.services 
http://www.oct.services 

  
 

> On Sep 14, 2016, at 10:42 PM, Andrew Sedlak  wrote:
> 
> Hi,
> I think the whole point of Guacamole is that it's a centralized system, 
> allowing access through any web browser without the need for a client. 
> Basically once you've configured all your devices to talk with Guacamole, you 
> can access them all from a central point.
> Myself I have a small setup when I have devices from two locations all coming 
> together in Guacamole. This does require some ports to be opened and 
> forwarded but once that's done, it's a fire and forget sort of deal.
> 
> Summary: This product is supposed to eliminate the need for client software.
> 
> On 15/09/2016 06:41, Matthew Strowbridge wrote:
>> Hello,
>> 
>> Guacamole newbie here and I have client questions I just can’t find answers 
>> to. This may not be how to go about asking but I am going to give it a shot.
>> 
>> I have Guacamole server up and running and have created an ssh connection to 
>> a colocated server with direct internet connection and dedicated IP address. 
>> I am able to connect to it through my Guacamole Home no problem. 
>> 
>> What confuses me is if there is not a client I can run on computers behind a 
>> router/firewall that connects to Guacamole server and allows me to connect 
>> to them through the Guacamole server as well, what is the point? If I have 
>> to create a connection providing an IP address and port to connect through 
>> on my Guacamole Home and then port forward from my firewall to the desired 
>> computer to be able to access it, I can just use RDP, SSH, or whatever 
>> native client to connect at that point. Am I missing something? Is there a 
>> client after all that I can run on say a Windows machine behind a firewall 
>> and still connect to it via my Guacamole server similar to a LogMeIn or 
>> Teamviewer service?
>> 
>> Sorry for my ignorance and if this is not how to submit a question please 
>> inform me as to proper method.
>> 
>> Regards,
>> 
>> Matthew Strowbridge
>> On Call Technology Services Inc.
>> (o)845.477.5208
>> (m)845.673.9678
>> (e)mjs@oct.services 
>> http://www.oct.services 
>> 
>>  > Attachment.gif> 
>> > Attachment.gif>  
>> 
> 
> 
> 
>   
> 
>
> This email has been checked for viruses by Avast antivirus software. 
> www.avast.com 
>