necouchman commented on code in PR #258:
URL: https://github.com/apache/guacamole-manual/pull/258#discussion_r1750933815
##########
src/auth-restrict.md:
##########
@@ -0,0 +1,302 @@
+Enforcing Advanced Login and Connection Restrictions
+====================================================
+
+A feature of Guacamole as of version 1.6.0 is an extension that allows you to
+enforce advanced restrictions on both user logins to Guacamole as well as the
+user of connections and connection groups. The extension,
+`guacamole-auth-restrict`, decorates other authentication extensions that
+contain user information and/or connections, and allows you to apply
+restrictions to those objects for the time(s) that users are allowed or not
+allowed to log in, the hosts from which users may or may not log in, the
+time(s) that certain connections and balancing connection groups may or
+may not be used, and the hosts from which certain connections and
+balancing connection groups may or not may not be used. The goal is to
+give administrators of a Guacamole system additional flexibility in
+restricting when and from where the system can be used.
+
+As this extension decorates underlying extensions, it must be used alongside
+one that is capable of storing additional information for users, user groups,
+connections, and connection groups. Currently the only extension provided
+by the Guacamole project that is capable of doing this is the
+[JDBC authentication extension](jdbc-auth). Other extensions, such as the
+[LDAP authentication extension](ldap-auth) or
+[JSON authentication extension](json-auth) could potentially be used to
+provide the required data for this extension to function correctly; however
+this document focuses on the use of this extension alongside the JDBC
+extension and does not cover the details required to make this
+function with those other extensions.
+
+:::{important}
+This chapter involves modifying the contents of `GUACAMOLE_HOME` - the
+Guacamole configuration directory. If you are unsure where `GUACAMOLE_HOME` is
+located on your system, please consult [](configuring-guacamole) before
+proceeding.
+:::
+
+Downloading the auth-restrict extension
+---------------------------------------
+
+The guacamole-auth-restrict extension is available separately from the main
+`guacamole.war`. The link for this and all other officially-supported and
+compatible extensions for a particular version of Guacamole are provided on the
+release notes for that version. You can find the release notes for current
+versions of Guacamole here: http://guacamole.apache.org/releases/.
+
+The extension is packaged as a `.tar.gz` file containing only the extension
+itself, `guacamole-auth-restrict-1.6.0.jar`, which must ultimately be placed
+in `GUACAMOLE_HOME/extensions`.
+
+(installing-auth-restrict)=
+
+Installing the auth-restrict extension
+--------------------------------------
+
+Guacamole extensions are self-contained `.jar` files which are located within
+the `GUACAMOLE_HOME/extensions` directory. To install the
+guacamole-auth-restrict extension, you must:
+
+1. Create the `GUACAMOLE_HOME/extensions` directory, if it does not already
+ exist.
+
+2. Copy `guacamole-auth-restrict-1.6.0.jar` within `GUACAMOLE_HOME/extensions`.
+
+3. [As noted below](using-auth-restrict), apply additional restrictions to
+ users, user groups, connections, and/or connection groups.
+
+:::{important}
+You will need to restart Guacamole by restarting your servlet container in
+order to complete the installation. Doing this will disconnect all active
+users, so be sure that it is safe to do so prior to attempting installation.
+:::
+
+(auth-restrict-config)=
+
+### Configuring Guacamole for advanced restrictions
+
+There are no guacamole.properties parameters that need to be configured
+in order to begin using the auth-restrict extension.
+
+:::{important}
+However, because the extension is capable of restricting access to logins
+and connections based on the client's IP address, it is important to make
+sure that Guacamole is receiving the correct IP address(es) for clients.
+This is particularly noteworthy when Guacamole is behind a reverse proxy,
+as noted in the [proxying Guacamole](reverse-proxy) manual page, but
+administrators should validate any potential network component that may
+block or adjust the IP address that Guacamole receives for client
+connections.
+:::
+
+(completing-auth-restrict-install)=
+
+### Completing the installation
+
+Guacamole will only reread `guacamole.properties` and load newly-installed
+extensions during startup, so your servlet container will need to be restarted
+before installation of the auth-restrict extension will take effect.
+
+(using-auth-restrict)=
+
+Using the auth-restrict extension
+---------------------------------
+
+Once the extension is installed and the web application restarted, an
additional
+section of options will appear in the administrative pages of Guacamole that
+will allow administrators to configure the additional restrictions for various
+objects within the Guacamole system. The new section of options looks like
this:
+
+
+
+The next sections will cover how each restriction impacts the various objects
+in the system.
+
+### User Logins
+
+Additional settings can be applied to users and user groups that will restrict
+the ability of those individual users or members of the groups to log in to
+Guacamole.
+
+#### Restricting logins based on day and time
+
+This extension introduces the ability to restrict logins to the Guacamole
+system based on the day of the week and the time of day, and to combine these
+restrictions in a way that allows for flexibility in those schedules.
+
+As an example, let's say that you have a user or group of users whose access
+you'd like to restrict to your normal working hours of 9 AM to 5 PM, any day
Review Comment:
Ah, yes, you're absolutely right - I knew I was forgetting something.
##########
src/auth-restrict.md:
##########
@@ -0,0 +1,302 @@
+Enforcing Advanced Login and Connection Restrictions
+====================================================
+
+A feature of Guacamole as of version 1.6.0 is an extension that allows you to
+enforce advanced restrictions on both user logins to Guacamole as well as the
+user of connections and connection groups. The extension,
+`guacamole-auth-restrict`, decorates other authentication extensions that
+contain user information and/or connections, and allows you to apply
+restrictions to those objects for the time(s) that users are allowed or not
+allowed to log in, the hosts from which users may or may not log in, the
+time(s) that certain connections and balancing connection groups may or
+may not be used, and the hosts from which certain connections and
+balancing connection groups may or not may not be used. The goal is to
+give administrators of a Guacamole system additional flexibility in
+restricting when and from where the system can be used.
+
+As this extension decorates underlying extensions, it must be used alongside
+one that is capable of storing additional information for users, user groups,
+connections, and connection groups. Currently the only extension provided
+by the Guacamole project that is capable of doing this is the
+[JDBC authentication extension](jdbc-auth). Other extensions, such as the
+[LDAP authentication extension](ldap-auth) or
Review Comment:
Fair point. I've removed it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
