On Fri, May 15, 2020 at 3:32 PM Jason Keltz <[email protected]> wrote:
> Hi.
>
> I notice that if I login to Guacamole with my username in all caps (or
> just any letter), then my logins to Linux/Unix systems will fail. I don't
> suppose there is a way I can tell Guac to convert usernames to lowercase?
> This happens when logging into Linux *or* Windows systems.
>
This discussion has come up in the past, but we haven't done much to
address it. Yes, Guacamole maintains the case of the username as you enter
it, which, depending upon what types of systems you're logging into, can be
more or less problematic. Obviously in the case of a UNIX-based system,
where usernames can be case-sensitive, that can be a problem. For most
other platforms, it is not. I wonder if maybe we could provide a way with
the Token system to alter the case. I'm thinking something like:
${GUAC_USERNAME} - Pass through as entered
${GUAC_USERNAME:lower} - Convert string to lower-case
${GUAC_USERNAME:upper} - Convert string to upper-case
That's just me thinking out loud, at this point - I don't know how feasible
that is, and if it would cause any other issues, but seems like it would at
least allow the most flexibility in not maintaining current behavior but
also allowing situations like you mention where you want to make sure
something is always lower-case, no matter what the user logs in with.
The other issue that comes up is that, if you are "stacking" authentication
modules (JDBC + LDAP, for example), the comparison of usernames between the
modules is also currently case-sensitive - so, if I create a user in the
JDBC module called "nick", but log in with an LDAP account where the
username is "Nick", the LDAP account will not get any permissions for the
JDBC user "nick", because they are not considered the same user. This is
something of a pain-point for me, because, while I can advise users on how
they should log in, I cannot control what they use to log in, and if they
user FirstName_LastName (instead of firstname_lastname), the login will
succeed but they may not see everything they should have permissions to
see. So, perhaps, in that case, a directive in guacamole.properties for
the LDAP authentication module, specifically, that says "convert usernames
to lower case" would do the trick, and might also handle the situation
you're seeing?
I'm interested to hear what others in the community think - I'm throwing
out my thoughts and opinions, but think this is a good discussion to hear
from other folks on.
-Nick
