Dear Guacamole users, Dear Nick, Sorry I decided to resurrect the 4-years old challenge. I have rebased my changes on the latest codebase. Not so many changes are required to allow the user authenticated via auth-header extension to be provided authentication information / connection settings from user-mapping.xml. Without the changes the settings are not picked up from user-mapping.xml.
Please check my commit b0aa658 <https://github.com/dmak/guacamole-client/commit/b0aa658043689b8ff37d18db49a75ac443b4cc12>. If that is OK, then I would provide few unit tests for it. Otherwise let me know what is missing, preferably in terms so that I can implement a test. On 2019-03-22 21:42, Nick Couchman wrote: > >> Yes, we removed the NoAuth module without replacing it. The project >> determined that it was not worth continuing to keep it in the code, as the >> value was limited and the end-goal of the module >> - transparently authenticating users into Guacamole - was possible by >> several other more secure means (SSO and parameter tokens, in particular). >> It's also true that the header module is very >> simple - it accepts that a user has been authenticated up-stream and >> relies on other modules to provide configurations. This comes with a >> security caveat of its own - if you use the header >> module it *must* be behind a reasonably secure front-end proxy that >> won't allow someone to spoof the header that is then accepted by the >> authentication module. There are warnings about this in >> the manual. > I agree. On the other hand, even if we make FileAuthenticationProvider > work properly, JDBCAuthenticationProviderModule will still not work, as it > requires username/password for authentication > against the database. So if there is a need to stack JDBC/LDAP on the top > of header authentication, one needs to agree how to enable that. > > > This is not accurate - I've used the Header module with the JDBC module > repeatedly, and it works fine, even without a password being provided. The > JDBC module will recognize users authenticated by > any other module - LDAP, Header, CAS, OpenID, RADIUS - regardless of whether > the module sets a password on the Credential object. The File handler does > not currently behave that way. The LDAP > module, when used to store connections, also relies on both the username and > password to be available because it binds to the LDAP tree with the provided > username and password. The JDBC module uses > a fixed username and password to access the database, and accepts > authentication from other modules matching via username only. > On 2019-03-26 00:30, Nick Couchman wrote: > The site you referenced is for the Apache Directory project, not the > Guacamole project. Our main page is here: > > http://guacamole.apache.org > > And the contribution guidelines are here: > > http://guacamole.apache.org/open-source/ > > With specific style guidelines noted here: > > http://guacamole.apache.org/guac-style/ -- With best regards, Dmitry
