On Tue, Aug 4, 2020 at 12:11 PM Jérôme Charaoui < [email protected]> wrote:
> Hello, > > Is it possible to setup the LDAP extension in some way that it will > match usernames in a case-sensitive manner? > > Currently, for example, user "FooBar" can log in as "FOOBAR", "foobar", > "FOoBar". etc. and the Guacamole client will make use internally of > whatever the user inputs instead of the actual username as stored in LDAP. > > I'm not sure this would even be possible to implement within the LDAP module, as an LDAP client, because the client is not the authority on which logins are valid and which are not. How is the Guacamole LDAP extension to know that "FooBar" is a valid login and "foobar" is not? This seems like something you'd have to enable on your LDAP server - the LDAP server would need to support case-sensitive usernames (bind DNs) to be able to make such a determination. I don't even know that this is possible to do in most LDAP implementations - OpenLDAP would probably support it, but AD and others (eDirectory) are questionable. That said, the one thing you could do is enable the option that requires that the user be present in the JDBC module for LDAP authentication to succeed. If I recall correctly, username matches between modules in Guacamole are done in a case-sensitive fashion (that is, in the JDBC module the user "FooBar" is different from "foobar") so if you require that the user be present in JDBC then authentication will fail if they are not. Of course, that means that you have to manually add users to the JDBC module, so this could represent more work for you, but it may overcome your current problem. http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-restrict > This has implications notably when using the ${GUAC_USERNAME} token for > directory paths in connection properties as most filesystems are > case-sensitive. > > I've seen token modifiers have been implementer to force either all > lower-or upper-case but unfortunately that feature wasn't released in > 1.2.0. > > Yep, this should be released in version 1.3.0, and is available in the git repo master branch if you want to build from source. -Nick
