Thanks Mike. I ended up writing an authentication extension for Guacamole as described in Chapter 18. It sets the username and password in the GaucamoleConfiguration from the Authentication header in the servlet request. I see from your explanation I could have just configured LDAP in Guac and it would have handled that. My authentication extension does a lookup for the user's RDP server that already existed in a database table so at least I didn't have to modify the LDAP schema. Thanks again. Guac rocks! R☮ck on, PLA
Patrick L Archibald http://PatrickArchibald.com On Sat, Nov 5, 2016 at 2:34 AM, Mike Jumper <[email protected]> wrote: > On Mon, Oct 31, 2016 at 6:51 AM, Patrick L Archibald (PLA) ☮ > <[email protected]> wrote: >> >> Hi, >> >> Our Intranet is an Apache front end configured with HTTP Basic >> authentication via LDAP to a Windows AD. Apache uses ProxyPass >> websocket-tunnel to the Guac Tomcat application server. >> >> I would like to pass the HTTP Basic authentication user name and >> password to Windows 2008 R2 RDS VMs and Windows 7 VMs. > > > Guacamole will do this automatically, at least in part. If the > "Authorization" header is present from HTTP Basic authentication, > Guacamole's authentication system will automatically pull the username and > password and pass them to installed authentication extensions. > >> >> I had noauth-config.xml configured like so: > > > If you want usernames or passwords to have any meaning, using NoAuth (the > extension which effectively neuters the authentication system) is definitely > not the way to go. More on this below. > >> >> Before I roll my own authentication, is there a BASIC_USERNAME and >> BASIC_PASSWORD token? >> > > There are no such tokens, but if there is no true separation of identity > between the user authenticating via HTTP Basic and the user authenticating > with the RDP server, I think it would be a mistake to try to force such a > separation within Guacamole. It would be better to embrace Guacamole's > concept of a user and credentials, and allow the layers to communicate > properly. > > For an arbitrary user X, you currently have the following layers, connected > in order: > > 1) Proxy (configured to verify and recognize user X) > 2) Guacamole (configured to not recognize anyone thanks to NoAuth) > 3) RDP (configured to verify and recognize user X) > > The system here breaks down because the middle layer (Guacamole) has been > explicitly configured to not care about identity. What you should be doing > instead is: > > 1) Proxy (configured to verify and recognize user X) > 2) Guacamole (configured to verify and recognize user X) > 3) RDP (configured to verify and recognize user X) > > If each layer is configured to verify and recognize the user in the same > way, then each layer will function as expected, including the behavior of > things like the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens. > >> Any other suggestions? >> > > I'd recommend using the LDAP authentication included with Guacamole, either > on its own or together with a database. As long as you configure the LDAP > authentication to use the same Windows AD server as your proxy, the > username/password within the HTTP Basic authentication will just magically > work, and users will not need to manually log in. > > You would end up with a system which re-verifies the credentials provided, > and then pulls connection data from elsewhere. If eventually someone manages > to access your Guacamole server without going through your authenticating > proxy, Guacamole would itself enforce authentication, and things remain > secure. > > Thanks, > > - Mike >
