On Mon, Aug 19, 2019 at 7:14 PM Mike Sollanych <[email protected]> wrote:
> Apologies if this was posted twice, didn't confirm email properly. > > I only see it once :-). > I'm trying to set up a highly dynamic Guacamole setup, using OpenID for > authentication (against IDAptive; this part works well). The actual > Guacamole connections need to be sourced from Consul service discovery; my > plan had been to use Consul Template to do this and spit out a file like > the > user-mapping.xml, but it looks like there's no way to use the two of these > in concert. > > Unfortunately the built-in user-mapping.xml doesn't really "stack" with the other modules the same way, so you likely won't have much success getting this to work. However, I wonder does the Consul service discovery have any sort of API that could be leveraged to dynamically pull connection information? > The NoAuth extension that appears to have been deprecated looks like it > might have handled this for me. QuickConnect works fine but most of the > point of Guacamole was to provide my technical end-users a nice list of > running VNC sessions inside our environment in a secure fashion with 2FA > and > so forth. > > You don't want NoAuth. Really, you don't :-). We deprecated it for a reason. > Is there any option for using OpenID without having a database backend to > list connection information? > > I'm sure there is - I can think of three ways: 1) Consul has an API, and an extension could be written to pull from that API. I'd be happy to work through implementation of such an extension, if you can provide insight on how the API works. 2) Sounds like Consul can spit out formatted output - XML, maybe JSON. An extension could be written to leverage this - I'd lean toward JSON output, myself, but probably doesn't matter that much. 3) Mike has mentioned in the past, I think, that he has a JSON extension that might work for this, eh Mike? > If I have to maintain a database, that means a lot more work to get this > working (i.e. i'd have to write something that could blow away the > Guacamole > database and repopulate it from whatever we source from Consul). A static > configuration maintained using tools outside of the app itself lends itself > far more to my process. > I wouldn't say you'd have to blow away the database each time and repopulate it - at most you'd blow away the data in one or two of the tables (Connection, maybe Permissions) and repopulate that, but it actually shouldn't be too bad to write scripts in one of several languages, or even some SQL procedures in your DB of choice that would ease this. Not saying this is really the best way to go for you, just that it is a possibility and may not be quite as bad as it seems. > > Should I just downgrade to the pre-1.0 release and use noauth? This seems > to > give me no upgrade path, and I'm not sure if the openid extension actually > works alongside that anyhow. > > No, don't use NoAuth. Let's figure something else out that works for you. -Nick >
