richk wrote > In the docs with regards to the CAS extension it has this line: > > "This module must be layered on top of other authentication extensions > that > provide connection information, as it only provides user authentication". > > So would I configure the auth-provider property with > BasicFileAuthenticationProvider as usual, but then specify > cas-authorization-endpoint and cas-redirect-uri to override the default > login action to use CAS instead? If so, then can I just specify the > connection configs in user-mapping.xml as usual too? > > Is that how it's intended to work? It seems too easy?
Layering just means that you have/use multiple modules. Guacamole compares usernames between the modules to "connect" the user accounts between the modules. So, you can definitely use the basic file authentication provider and put usernames and connections in that file, then install the CAS module and point it at your CAS server, and, as long as the usernames match, it will pull in the connections for those users from the basic file provider. However, using the basic file provider for this layering has a couple of catches. In particular, when you configure users in the basic file module, you have to specify a username and password, so you'll need to generate complex enough passwords that no one would be able to guess them. Also, the basic file module requires that you specify connections under the users in the XML layout. Unless there's a way to do it that's not documented in the Guacamole documentation (Mike?), that means that you cannot specify a connection and then assign it to multiple users - you'd have to copy that connection specification multiple times under each of the accounts you'd want it to apply to. So, if you're layering it's really better to do it with the JDBC module - it will auto-generate the passwords for the users you create, and you can allow multiple to users to access the same connection without have to create it multiple times. You could also do this with the LDAP module if you wanted to layer CAS with LDAP - IMHO the JDBC module just makes the most sense. -Nick -- Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/