------ Original Message ------
From: "Nick Couchman" <[email protected]>
To: [email protected]; "Jason Keltz" <[email protected]>
Sent: 5/16/2020 7:41:24 AM
Subject: Re: capital letters in usernames
On Fri, May 15, 2020 at 3:32 PM Jason Keltz <[email protected]> wrote:
Hi.
I notice that if I login to Guacamole with my username in all caps
(or just any letter), then my logins to Linux/Unix systems will fail.
I don't suppose there is a way I can tell Guac to convert usernames to
lowercase? This happens when logging into Linux *or* Windows systems.
This discussion has come up in the past, but we haven't done much to
address it. Yes, Guacamole maintains the case of the username as you
enter it, which, depending upon what types of systems you're logging
into, can be more or less problematic. Obviously in the case of a
UNIX-based system, where usernames can be case-sensitive, that can be a
problem. For most other platforms, it is not. I wonder if maybe we
could provide a way with the Token system to alter the case. I'm
thinking something like:
${GUAC_USERNAME} - Pass through as entered
${GUAC_USERNAME:lower} - Convert string to lower-case
${GUAC_USERNAME:upper} - Convert string to upper-case
That's just me thinking out loud, at this point - I don't know how
feasible that is, and if it would cause any other issues, but seems
like it would at least allow the most flexibility in not maintaining
current behavior but also allowing situations like you mention where
you want to make sure something is always lower-case, no matter what
the user logs in with.
The other issue that comes up is that, if you are "stacking"
authentication modules (JDBC + LDAP, for example), the comparison of
usernames between the modules is also currently case-sensitive - so, if
I create a user in the JDBC module called "nick", but log in with an
LDAP account where the username is "Nick", the LDAP account will not
get any permissions for the JDBC user "nick", because they are not
considered the same user. This is something of a pain-point for me,
because, while I can advise users on how they should log in, I cannot
control what they use to log in, and if they user FirstName_LastName
(instead of firstname_lastname), the login will succeed but they may
not see everything they should have permissions to see. So, perhaps,
in that case, a directive in guacamole.properties for the LDAP
authentication module, specifically, that says "convert usernames to
lower case" would do the trick, and might also handle the situation
you're seeing?
I'm interested to hear what others in the community think - I'm
throwing out my thoughts and opinions, but think this is a good
discussion to hear from other folks on.
Hi Nick,
I like your idea of the token modifier. However, I could also imagine a
checkbox somewhere "convert usernames to lowercase". Let me know if I
should add as a feature request, or whether there is already something.
By the way, for whatever reason, my WIndows login doesn't work with the
capitals in the name either! I don't know why. I just retried it, and
it doesn't work.
Jason.
