On Mon, Mar 20, 2017 at 10:59 AM, tek0011 <[email protected]> wrote:
> Still working on this. Another person is trying to fork our own no-auth > extension, that will be a true no-auth. I strongly recommend against any approach centered around the idea of disabling authentication. The idea when integrating Guacamole with an external authentication system should be to (1) verify the authentication result with that system and (2) pull/generate the connection data required for each user based on that result. If the connection data is generated dynamically, you will need to look into both getUserContext() (which is called to generate the data available for the user upon login) and updateUserContext() (which is called for every request for users who are already logged in) for the AuthenticationProvider interface: http://guacamole.incubator.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#getUserContext-org.apache.guacamole.net.auth.AuthenticatedUser- http://guacamole.incubator.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#updateUserContext-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.AuthenticatedUser-org.apache.guacamole.net.auth.Credentials- In the meantime, we may have found > another possible way, but I also don't understand why this isn't working. > > We moved from no-auth to user-mapping but we run into the exact same issue. > PHP script runs, checks for the existence of <hostname> in > user-mapping.xml. > If it doesn't exist, it add's it, then redirects the user to it. > > Both NoAuth and the default XML-driver authentication (user-mapping.xml) will cache the data available to a user upon login. In the case of NoAuth, users are logged in to a placeholder account without checking credentials of any kind, but they are still logged in. Because the data is cached until the user logs out, external changes to configuration will not take effect as you expect. It is possible to write an extension which does not cache configuration (see updateUserContext() mentioned above), but there is still a client-side cache of REST responses, including the response which contains all connections available to a particular user. This will not affect the ability to connect to a particular connection if you happen to know its URL, but it will affect the contents of the home screen renders. Ultimately, relying on a script to update XML configuration will always be a hack. The proper approach is to write an authentication extension which directly integrates things the way you need. If that still doesn't fit the way you're intending to embed Guacamole, then it sounds like you should be looking toward using the Guacamole API itself: http://guacamole.incubator.apache.org/doc/gug/writing-you-own-guacamole-app.html The web application is kept separate from the APIs which drive it for exactly this sort of scenario. The expectation is that either Guacamole will work as needed out-of-the-box, an authentication extension can be written to integrate Guacamole with an external auth sytem (and then otherwise function normally), or a different web application can be written based on the same core (the Guacamole API). - Mike
