RE: Change to the way of authenticating provided by Guacamole

Tue, 14 Mar 2023 16:36:45 -0700 

I found class SharedAuthenticationProviderService, which has below 
method(authenticateUser). It receives credentials of Credentials type. Below is 
its definition:

    @Override
    public AuthenticatedUser authenticateUser(AuthenticationProvider 
authenticationProvider,
            Credentials credentials) throws GuacamoleException {

        // Check whether user is authenticating with a valid sharing key
        AuthenticatedUser user = 
sharingService.retrieveSharedConnectionUser(authenticationProvider, 
credentials);
        if (user != null)
            return user;

        // Otherwise, unauthorized
        throw new GuacamoleInvalidCredentialsException("Invalid login", 
CredentialsInfo.USERNAME_PASSWORD);

    }

By above code, I think  I have to make call to Perl invocation before 
retrieving authenticated user, and then compare with it. If their credentials 
are diferents, to update credentials with Tacacs value using updateUserContext 
function.

How do you see my implementation proposal?


-----Mensaje original-----
De: Nick Couchman <[email protected]> 
Enviado el: martes, 14 de marzo de 2023 02:21 p. m.
Para: [email protected]
Asunto: Re: Change to the way of authenticating provided by Guacamole

On Tue, Mar 14, 2023 at 4:04 PM Gabriel Huerta Araujo 
<[email protected]> wrote:
>
> Here me again.
>
> One question:
>
> How can I have a fully functional authentication provider instead of parsing 
> the guacamole.properties configuration file, and taking such information from 
> a database (MySQL) and only the authentication can be done with the 
> invocation of the Tacacs script through Perl?

You can use both the database and your custom authentication module together. 
Guacamole "stacks" the authentication modules, relying on the equivalence of 
the username to map users between the modules. The most common scenario for 
this is using LDAP +  JDBC (MySQL, PostgreSQL, etc.), so that you can log in 
users via LDAP but store connection information and permissions in a database. 
However, this should work between any sets of modules - so, if you write a 
custom module that calls the Perl script, you can still store connections, 
permissions, group membership, etc., in the JDBC module using one of the three 
supported databases.

If you have more specific questions, feel free to post those.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to