[jira] [Commented] (GUACAMOLE-686) HTTP Header Auth ignores LDAP configuration

Tue, 01 Jan 2019 17:38:51 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16731721#comment-16731721
 ] 

Nick Couchman commented on GUACAMOLE-686:
-----------------------------------------

You can't - this configuration won't work, for a couple of reasons.  The LDAP 
module uses LDAP's built-in security and access control to determine what 
connections a user has access to.  In order to accomplish this, the LDAP module 
first authenticates with the search user specified in the configuration (if 
applicable), and then authenticates with the information (username and 
password) of the user who is logging in.  It uses the search to attempt to 
locate the user DN in the LDAP tree, and, failing that, computes the DN of the 
user based on the username and the user base DN.

Because the LDAP module functions this way, it _requires_ the password to be 
present during authentication, and, if you're using the Header authentication 
module, the password is not available to Guacamole because the authentication 
is being done outside of Guacamole and Guacamole is trusting the authentication 
provided outside of the module.

Even with another module, like CAS, that can provide the password back to 
Guacamole (CAS uses a feature called ClearPass to do this), I don't believe 
this configuration would work, because the user is already authenticated prior 
to the LDAP module being called, so the LDAP module will not attempt to bind 
under that user account due to the prior successful authentication.

> HTTP Header Auth ignores LDAP configuration
> -------------------------------------------
>
>                 Key: GUACAMOLE-686
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-686
>             Project: Guacamole
>          Issue Type: Bug
>            Reporter: zach
>            Priority: Minor
>
> My guacamole server uses LDAP and works when logging in using the web portal. 
> I put a single-sign-on server in front of it which authenticates the users 
> for me, and then forwards the user to guacamole using HTTP-Header-Auth. When 
> this header auth successfully logs in, no connections are visible, and no 
> lookups are performed against my LDAP server.
> How do I tell guacamole to use HTTP-Header-Auth for the login, and then 
> perform LDAP queries to discover connections available to the logged-in user?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to