Hi all, I made a proof of concept and implemented my own authentication extension. I am however struggling with
(1) Changes of guacamole.properties (where I put some settings using a prefix hyperv.*) are not picked up until I restart tomcat. I´d appreciate if changes would be monitored or picked up at login like is for user-mapping.xml. Or am I mislead? (2) I need a json parser. Looks like there is none exposed by tomcat8 or guacamole. I had to copy a json implemention into my jar, which does not look like a good solution to me. Is there a way to refer to a standard json implementation? (3) It is still unclear to me what configuration changes I can/should support, and how to best trigger restore of VMs. One approach I am experimenting with is to subclass GuacamoleConfiguration and “monitor” whether parameters are accessed and then as a side effect trigger restore. However the unpleasant aspect is that I´d also have to cache credentials of the user then. Any better approach? Thanks, Joachim Von: Joachim Lindenberg [mailto:joac...@lindenberg.one] Gesendet: Mittwoch, 28. Februar 2018 15:34 An: user@guacamole.apache.org Betreff: Authentication mechanism.. Was: New user questions... Hi Mike, all, let me first understand exactly what you wrote, in particular as I did not install the LDAP and database part so far. You write “It is the only authentication extension which implements both reading and writing,..” what exactly is it writing? Configuration data – then I´d prefer to generate it. Personalization? Then that sounds more interesting. What types of personalization? Maybe including settings like enable-font-smoothing Christian mentioned, which might really be users preference or depend on bandwidth. Then second I´d like to understand my options. I think I have a pretty standard Hyper-V setup except for two things: some of the VMs are created by an application of mine which also assigns VMConnectAccess authorizations to specific user/VM combinations (which also prevents access using VMconnect unless the users are also Hyper-V-Administrators, haven´t tested exactly what guacamole requires, but I verified I can actually connect using a different user). And then I have a mechanism in place that saves/suspends VMs aggressively in order to conserve memory on the host. What I´d do in an authentication mechanism is to call a service on the hyper-V server doing two things: first check user&password against the local authentication systems (which includes support for local, domain, and microsoft users). If that succeeds, enumerate the VMs the user is authorized to and generate the relevant configuration connection. Does that make sense? Obviously the server running on hyper-V is Hyper-V specific, whereas the client part could be very generic and don´t really care about whether it is Hyper-V or some other backend. Now an interesting question is how to deal with the aggressive save: ideally one would include suspended VMs in the connections and then trigger the resume operation when a user picks that. Is that possible? How? Thanks & Best Regards, Joachim Von: Mike Jumper [mailto:mike.jumper@guac-d <mailto:mike.jum...@guac-dev.org> ev.org] Gesendet: Dienstag, 27. Februar 2018 08:04 An: user@guacamole.apache.org <mailto:user@guacamole.apache.org> Betreff: Re: New user questions... On Mon, Feb 26, 2018 at 10:45 PM, Joachim Lindenberg <joac...@lindenberg.one <mailto:joac...@lindenberg.one> > wrote: ... * w.r.t. ldap & database – my installation is very small w.r.t. the number of users (2-3) and virtual systems (5-10). A database sounds overengineered to me especially considering operations (backup). Small or large, the database authentication backend is really the best way to go. It is the only authentication extension which implements both reading and writing, thus providing a web-based management interface for connections and users, and the only extension which implements full screen sharing, logging of connection access, etc. Generating user-mapping.xml on the Hyper-V host sounds like one approach I might try I strongly recommend against auto-generating XML as a means of throwing together integration quickly: http://guacamole.apache.org/faq/#integrate-auth (but I dislike the passwords in that and would prefer to get them from LDAP), or I am considering to plug in my own authentication – but that will take some programming time. Nevertheless, if you wish to tightly integrate Guacamole with your own authentication, this is exactly the way it should be done. Actually I think Guacamole could standardize a rest based client Guacamole's interface is already driven by a REST sevice. using basic authentication (forwarding the credentials received) Guacamole also already pulls credentials from HTTP basic auth if they are not otherwise provided. If you implement your own authentication extension, you can also explicitly do this, but the username/password from HTTP basic auth will be automatically pulled into the Credentials object already. - Mike
