Thanks, that makes sense.
Is there a solution that would allow me to use LDAP authentication via SSO?
As a reminder, my users must already authenticate via MFA (Okta) on our SSL VPN web platform (Fortigate) before accessing the Guacamole web interface.
As a reminder, my users must already authenticate via MFA (Okta) on our SSL VPN web platform (Fortigate) before accessing the Guacamole web interface.
I want to keep LDAP to use AD groups mapped to connections in Guacamole.
Thanks for your help.
Stephan
Envoyé: mercredi 2 août 2023 à 22:55
De: "Nick Couchman" <vn...@apache.org>
À: user@guacamole.apache.org
Objet: Re: Guacamole Auth Header
De: "Nick Couchman" <vn...@apache.org>
À: user@guacamole.apache.org
Objet: Re: Guacamole Auth Header
On Wed, Aug 2, 2023 at 11:11 AM Stephan <sha...@gmx.com> wrote:
>
>
> I manually populated the $remote_user variable with an existing account in my LDAP, I can automatically connect to Guacamole but I can't find any connection already configured. If I try a classic LDAP connection, I see my connections.
> Isn't it possible to use Auth-Header and LDAP at the same time ?
No, it isn't - this is because the LDAP extension works in the following way:
* User gets Guacamole login page and enters credentials.
* If a Search DN/password has been configured, the extension connects
with the credentials to locate the user, then disconnects.
* If a Search DN/password has not been configured, the extension
computes the expected DN of the user.
* The DN - either searched for and found or computed - and password
entered by the user are used to establish a new LDAP connection.
* The connection with the user's credentials are then used to search
the LDAP tree to locate connections, connection groups, etc., which
are displayed for the user.
Since the Header auth module will have no knowledge of the user's
password, it isn't possible for it to connect to LDAP using the user's
credentials, so the LDAP module won't be used to retrieve connections.
This is an intentional design - it allows for access control to
Guacamole connections by leveraging the security already present in
LDAP.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
>
>
> I manually populated the $remote_user variable with an existing account in my LDAP, I can automatically connect to Guacamole but I can't find any connection already configured. If I try a classic LDAP connection, I see my connections.
> Isn't it possible to use Auth-Header and LDAP at the same time ?
No, it isn't - this is because the LDAP extension works in the following way:
* User gets Guacamole login page and enters credentials.
* If a Search DN/password has been configured, the extension connects
with the credentials to locate the user, then disconnects.
* If a Search DN/password has not been configured, the extension
computes the expected DN of the user.
* The DN - either searched for and found or computed - and password
entered by the user are used to establish a new LDAP connection.
* The connection with the user's credentials are then used to search
the LDAP tree to locate connections, connection groups, etc., which
are displayed for the user.
Since the Header auth module will have no knowledge of the user's
password, it isn't possible for it to connect to LDAP using the user's
credentials, so the LDAP module won't be used to retrieve connections.
This is an intentional design - it allows for access control to
Guacamole connections by leveraging the security already present in
LDAP.
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
