Thanks a lot Michael for your complete explanation.
This implementation to getUserContext method was missing
It was like this
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return null;
}
With below modification, It works like a charm now.
@Override
public UserContext getUserContext(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// No associated data whatsoever
return
authenticatedUser.getAuthenticationProvider().getUserContext(authenticatedUser);
}
I am plenty grateful, Michael.
-Gabriel
De: Michael Jumper <[email protected]>
Enviado el: lunes, 17 de abril de 2023 04:02 p. m.
Para: [email protected]
Asunto: Re: Change to the way of authenticating provided by Guacamole
Guacamole will poll every installed AuthenticationProvider. I can't speak to
how your extension is written, but there are three phases that Guacamole goes
through when you visit the application and attempt to authenticate:
1. Authentication: All installed extensions are asked to attempt to identify
the user. Guacamole does this by calling authenticateUser() for each extension,
one at a time, until one succeeds or all have failed:
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#authenticateUser(org.apache.guacamole.net.auth.Credentials)
2. Authorization: The AuthenticatedUser from whichever extension authenticated
the user is passed to all installed extensions to allow those extensions to
provide data for the user. Guacamole does this by calling getUserContext() for
each extension, one at a time, providing each with the AuthenticatedUser
received from the successful authentication attempt. Each extension then can
(but does not need to) provide a UserContext describing what the user can
access within that extension:
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#getUserContext(org.apache.guacamole.net.auth.AuthenticatedUser)
3. Decoration: The UserContext from all extensions that provided one is passed
to all installed extensions to allow those extensions to augment or decorate
the data provided for the user. This allows extensions to enforce restrictions
on top of objects that they do not otherwise maintain, to hook into function
calls at a low level, etc. Guacamole does this by calling decorate():
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#decorate(org.apache.guacamole.net.auth.UserContext,org.apache.guacamole.net.auth.AuthenticatedUser,org.apache.guacamole.net.auth.Credentials)
If you are writing an extension intended to authenticate users and _only_
authenticate users, with something like MySQL providing connection storage and
tracking, then all you need to do is implement authenticateUser() however you
see fit. Nothing needs to match except the username as all of the various
database extensions for Guacamole will trust the authentication results of
other extensions. You don't need to synchronize passwords (nor set an explicit
password at all), you don't need to implement connection tracking, and you
don't need to try to access the internals of the webapp or other extensions.
You just need to implement authenticateUser() in your AuthenticationProvider
and make sure your AuthenticationProvider is declared correctly in your
extension's guac-manifest.json.
- Mike
On Mon, Apr 17, 2023 at 1:19 PM Gabriel Huerta Araujo
<[email protected]<mailto:[email protected]>>
wrote:
In fact web application goes through every Authentication provider, but it does
not enter when arrives to Tacacs Authentication Provider (it is previous to
MySql), just enter to MySql Authentication provider (which is last in
Authentication Providers list).
Any idea how to force to enter into Tacacs Authentication Provider?
-Gabriel
-----Mensaje original-----
De: Gabriel Huerta Araujo
Enviado el: lunes, 17 de abril de 2023 09:00 a. m.
Para: [email protected]<mailto:[email protected]>
Asunto: RE: Change to the way of authenticating provided by Guacamole
Nick
How can I make Tacacs authentication be executed? Because as Tacacs and DB
password is the same, application goes for DB authentication.
-Gabriel
-----Mensaje original-----
De: Nick Couchman <[email protected]<mailto:[email protected]>>
Enviado el: domingo, 16 de abril de 2023 02:03 p. m.
Para: [email protected]<mailto:[email protected]>
Asunto: Re: Change to the way of authenticating provided by Guacamole
On Sat, Apr 15, 2023 at 9:17 PM Gabriel Huerta Araujo
<[email protected]<mailto:[email protected]>.invalid> wrote:
>
> I did a test and It does not work
>
> I put mysql-auto-create-accounts (guacamole properties) with true value.
>
> In fact Tacacs user is same to DB user, but why when I enter with DB user and
> its password as is saved in this repository, I can see Active Sessions?
The likely explanation for why this works is because the database module gets
evaluated, first, and, if the password is the same, the authentication to
Guacamole is done by the database module and *not* by the TACACS module. I'd
bet that, once the passwords are the same between DB and TACACS, the Guacamole
logins will stop showing up in your TACACS system.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]<mailto:[email protected]>
For additional commands, e-mail:
[email protected]<mailto:[email protected]>
---------------------------------------------------------------------
To unsubscribe, e-mail:
[email protected]<mailto:[email protected]>
For additional commands, e-mail:
[email protected]<mailto:[email protected]>
