On Sun, Jan 7, 2018 at 10:09 AM, Amarjeet Singh <amarjee...@gmail.com> wrote:
> Nick, Requirement is not to save username and password anywhere. It should > be logged in by the user itself. > > Yes, I understand and agree. > That is causing issue to create shared drive with username or > ${GUAC_USERNAME} > I don't think so. The ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens come from the username and password that the user logs into *Guacamole* with, not the username/password for the connection. As an example, if let's say you have Guacamole configured to use LDAP authentication, and you are storing your connections in JDBC. Guacamole LDAP is configured to point to Active Directory, and you have a user, test_user, and the LDAP/AD password for that user is DoNotCopyMe. The user is connecting to a Windows server, via RDP, joined to the same AD domain where LDAP is configured, server1. Here's how the flow would work: - User logs into Guacamole at https://guacamole.example.com/guacamole, with username test_user and password DoNotCopyMe - Guacamole, upon successful login, registers ${GUAC_USERNAME} as test_user and ${GUAC_PASSWORD} as DoNotCopyMe. - The user starts the connection to server1, which has the username parameter set to ${GUAC_USERNAME}, the password parameter set to ${GUAC_PASSWORD}, and the Drive Path parameter set to /tmp/${GUAC_USERNAME}. - The connection automatically logs into the server because the Guacamole username and password is passed through to the RDP connection through the tokens. - The connection maps the /tmp/test_user directory through to the RDP connection by resolving the username token. > > ${GUAC_USERNAME} works if Single sign on is there i.e. username and > password is provided. it fails if username and password is not there. > > Well, that depends on what you mean by "Single sign on" and "is [not] there." The actual username and password do not have to be saved in the connection in order to be made available; however, the user has to log in to be logging in to Guacamole. So, if you're using some sort of anonymous Guacamole authentication (the deprecated noauth extension, for example), then the GUAC_USERNAME and GUAC_PASSWORD tokens will not be available. If you're using a SSO login method (OpenID, SAML, CAS without ClearPass), then the GUAC_USERNAME token will be available while the GUAC_PASSWORD token may or may not, depending on your configuration. If you're using LDAP or JDBC, then both the GUAC_USERNAME and GUAC_PASSWORD token should be available. How are your users authenticating to Guacamole? -Nick