On Fri, Feb 23, 2024 at 6:53 AM <u...@alyn.org> wrote: > Hi there! > > > > I’m new to Guacamole, and have successfully installed it (v1.5.4) in order > to implement clientless VPN RDP access to our network. The Guacamole server > is placed behind a corporate firewall which strongly authenticates users > and then serves them the Guacamole web-app through its own native > reverse-proxy engine. > > > > I installed the LDAP authentication extension, expanded our Active > Directory Schema (adding the guacConfigProtocol and guacConfigParameter > attributes along with the guacConfigGroup class), and everything is working > fine in this aspect, I.e., connections and connection parameters are all > managed within Active Directory. > > > > The last missing piece is header authentication – our firewall is able to > pass on the authenticated username as a custom HTTP header, but after > installing and testing out guacamole-auth-header-1.5.4.jar I stumbled into > the following problem: Our firewall encodes the username header in BASE64, > but the Guacamole header extension does seem to support it and seems to be > expecting clear-text usernames. After investigating the issue, there is no > way we can tweak our firewall to avoid encoding the username, it strictly > enforces this behavior. > > > > Has anyone stumbled into this problem before? Is there some known way the > header extension can support BASE64 encoding? If not, where can I find the > header extension source code in order to try and add support for BASE64 > myself? > > >
I've not hit this problem before, although I don't find it terribly surprising - given the types of usernames (UPNs, for example - u...@domain.com - or NT-style Windows domain - DOMAIN\USER), I can see why a firewall would do this. There's not currently any way for the extension to handle this directly - it would take some code modifications to do it. It probably wouldn't be terribly difficult to do and either have a configuration property to tell it what to do, or maybe even auto-detect when something is Base64 encoded. That said, I think you're going to run into an issue when you put this into place if you're trying to couple the header authentication module with the LDAP module, particularly if you're storing connection information inside of LDAP (which you indicated above). The LDAP module relies on the username *AND* password of the user logging in for the process of querying the LDAP tree for accessible connections. So, the flow of the LDAP module is: * User enters credentials. * Guacamole connects with the search bind credentials and locates the user. * Guacamole re-connects with the located user DN and the password the user entered. * Guacamole searches for available users, groups, and connections. The key is that Guacamole *always* un-binds from the search user and re-binds as the user who is logging in. This means, if you use Header (or any of the SSO modules), Guacamole will not be able to query LDAP, so you won't get any of that information. -Nick >
