On Mon, Jan 7, 2019 at 7:06 PM Mike Jumper <[email protected]> wrote:
> On Fri, Jan 4, 2019 at 12:59 PM Nick Couchman <[email protected]> wrote: > >> On Fri, Jan 4, 2019 at 10:34 AM JoelB <[email protected]> wrote: >> >>> Is there any way to implement concurrency limits for connections/users >>> defined in LDAP? I've been unable to get LDAP and MySQL to co-operate so >>> I've switched to an LDAP-only configuration. However, I need to be able >>> to >>> restrict users to logging in to only one machine at a time and clients to >>> only allow one connection at a time. >>> >>> >> I do not believe the connection attributes (which includes concurrency) >> work from connections defined within the LDAP authentication module. >> >> > It's not so much that they don't work as they aren't implemented. Only the > database auth implements the type of tracking necessary for these limits. > > Yes, quite right. > While it is true that the database auth allows these limits to be > maintained/overridden with connection attributes, leveraging connection > attributes is only necessary if these limits are to be exposed within the > user interface. If concurrency limits were implemented within LDAP, which > will presumably remain read-only, the limits could be read internally from > LDAP attributes, exposing nothing. > > I think we would first want to look into extracting the core of the > database auth that implements connection tracking, sharing, etc. such that > it can be used by other extensions, including downstream extensions. It's a > very common need, and implementing reliable connection tracking in a way > that doesn't have difficult-to-diagnose race conditions is tricky. > Sounds like we're collecting a list of things to extract/abstract out of the JDBC module. We've already discussed doing that for permissions management, and now we've got concurrency - sounds like we're moving in the direction of some pretty serious re-architecting of the way the extension modules are done, where those just become much more simple interfaces between guacamole-ext (or wherever we move it to) and whatever is storing the data. I like it. -Nick >
