On Tue, Oct 31, 2017 at 5:43 PM, Thompson, John H. (GSFC-606.2)[PATUXENT TECHNOLOGY PARTNERS] <john.h.thomp...@nasa.gov> wrote:
> Will storing the allowed connections in LDAP work with HTTP > > header authentication"? > > > > From reading about LDAP, it seems the answer is “no” > > "if the bind attempt is successful, the set of available Guacamole > > connections is queried from the LDAP directory by executing an LDAP > > query as the bound user. Each Guacamole connection is represented within > > the directory as a special type of group: guacConfigGroup. Attributes > > associated with the group define the protocol and parameters of the > > connection, and users are allowed access to the connection only if they > > are associated with that group." > > > > From reading http header, it seems the answer is "maybe .... ?" > > "This authentication method must be layered on top of some other > > authentication extension, such as those available from the main project > > website, in order to provide access to actual connections." > > > > The Guacamole documentation is somewhat unclear as to authentication > versus authorization. > > > > Thanks in advance for any insight you can share! > > > I believe the answer is no. Mike can correct this if I'm wrong, but my understanding is that one of the security mechanisms in the LDAP module is that the bind to look for connections is done with the user who logged in. So, if the user is logged in through another mechanism (header authentication), and particularly one that doesn't provide the password to Guacamole (header will not), then there's not going to be any way for the user who logged in to bind to the LDAP directory. Header authentication does layer nicely, though, with the JDBC module, so the best bet is to use JDBC to store the connections. I realize that you may be trying to use LDAP's built-in membership mechanism to assign users/groups to connections, so that doesn't help you there, but header + JDBC does work. Regards, Nick
