On Thu, Apr 15, 2021 at 9:30 AM tomlawesome <[email protected]> wrote:
> Thanks for the reply Nick. I did check the manual but am very new (first > time > trying to use them) to using HTTP headers for auth and wasn't entirely sure > on syntax for guacamole properties if I wanted to use a custom one. Is the > following correct? I know I don't need to specify anything in > guacamole.properties for REMOTE_USER but am just using it as syntax example > for my understanding. > > http-auth-header: <my string> > http-auth-header: REMOTE_USER > Yes, so, if you wanted the header SMASHED_AVOCADOS to be used for the user, you would specify: http-auth-header: SMASHED_AVOCADOS and, then, in your identity provider configuration, and, possibly also in your reverse proxy configuration (if you're using one), you'd need to specify that header as the one to send and to be passed through. > > Also, is there a way I can verify that Guacamole is even seeing the header? > I appreciate that this is not an traefik mailing list, but I'm not sure if > Guacamole is receiving the header and not doing anything with it, or if > traefik's not sending it. > > This should be logged in the Tomcat logs (catalina.out, syslog, journald, wherever Tomcat gets logged) - it'll log either a successful authentication for a particular user, or failed anonymous authentication. > I'm using mariaDB + LDAP for authentication backends > > Note that if you're using LDAP authentication extension in Guacamole, a successful authentication by the header module will mean that the LDAP module is not called at all, particularly because the LDAP module requires that the password of the user logging in is passed through. You'll be able to see/use connection information from the JDBC module, but not the LDAP module. -Nick
