On 4/24/21 1:13 AM, Mike Jumper wrote:
On Fri, Apr 23, 2021 at 1:46 PM Jelle de Jong <[email protected]
<mailto:[email protected]>> wrote:
...
Thank you for your answer and great work on Guacamole!
Can you explain this use-case to determination "what the user has
access
to" especially with 1.3.0 how is the new prompting for credentials take
place, I expect this to show up within the guacamole GUI and not as a
dialogue in the RDP client, but if I make a new connection with the GUI
and leave the username and password empty I do not get prompted.
RDP itself defines a means of requesting credentials from the connecting
client before the graphical part of the remote desktop session starts.
This will be the case for Windows RDP servers that are configured to
require NLA (the default for recent versions of Windows), and should
also be the case if you explicitly select "NLA" security for the RDP
connection within Guacamole's connection parameters.
The RDP spec doesn't strictly require that servers deal with credentials
before starting the graphical session. It's up to the server and the
connection negotiation process. The RDP server *can* choose to accept
what you've provided, start the graphical session, and leverage that
session to prompt the user for the rest. This is what Windows RDP will
do if NLA is not being used.
If you omit some credentials, and the RDP server does send a specific
request for credentials before starting the graphical session, then
Guacamole will issue its own prompt within the UI to obtain what's
missing. This prompt will accept only the credentials not already
provided by the administrator in the connection parameters.
...
How can I disable the "data retrieval" part so it does a successful
login?
There's no configuration option for this. The solution would be to make
the changes I mentioned to the LDAP support to allow the original LDAP
connection to be used for both the authentication and authorization
processes.
Thank you Mike, would you be willing to take a look at the LDAP code and
share back how much work it might be?
In the /etc/guacamole/guacamole.properties configuration I provide the
ldap-search-bind-dn and ldap-search-bind-password. My experience is that
these credentials are often used to bind to LDAP and do the lookups
needed, this way the user password is only used one time to validate.
I have not been able to have Guacamole provide me with a prompt when
leaving the username and password empty in the connection settings, I
can not figure out what I am doing wrong. I can not find documentation
on how to use this prompting feature. From what you tell me, leaving it
empty should be enough? I would like to be able to provide the username
as ${GUAC_USERNAME} and have the password promoted for in the Guacamole
Web UI. (So the user can fill in the password+otp in the password field
and connect).
Kind regards,
Jelle de Jong
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
