On Tue, Apr 23, 2019 at 6:03 AM Vieri <[email protected]> wrote: > Hi, > > Is it possible to use the output of external scripts in order to define > specific variables in user-mapping.xml. >
Yes, this is possible; however, my question would be, why do this instead of just setting up the JDBC module? It seems like a lot of effort to go to in order to get this working in the user-mapping.xml file, which the JDBC module would definitely allow you to use Parameter Tokens for much of this. > I know I could try to use the LDAP/AD authenticator extension, but: > > 1) AD is not officially supported, and I'd need to modify the schema with > something like this: > https://glyptodon.com/jira/secure/attachment/13006/Guacamole%20LDAP%20Authentication%20with%20Active%20Directory.pdf > > 2) I don't know yet if it is possible/easy to manage the NLA > guacConfigParameter values for each user, ie. would I need to specify > username, password and domain for each group when using NLA as security > mode? That would mean I'd need to create a connection object for each AD > user! Or does Guacamole try to use the same username and password as the > ones used for the inital LDAP/AD bind even when using NLA? > > I would suggest using LDAP/AD + JDBC for this. That way you can have users authenticate with LDAP/AD, but you don't have to change the Active Directory schema. Then you can use the Parameter tokens, as you already mentioned, to fill in username and password for NLA. The parameter tokens (${GUAC_USERNAME and ${GUAC_PASSWORD}) won't work with the user-mapping.xml file - you cannot use these values in that file. > Also note that I'd like the hostname to be dynamic too as I have a script > that checks several things in order to determine which RDP server a user > should connect to (eg. checks ressource usage on every server, checks > whether a previously connected user session was inadvertantly cut off, > etc., and finally outputs the name or IP address of the RDP server). > This would more difficult to do, and would probably be the right place for a custom authentication extension that does these checks and keeps track of things for you. A script would work with the user-mapping.xml file, but, again, that would lack authentication integration with any of the other modules, so I think that would probably be less helpful than writing an extension. -Nick
