On Sun, May 17, 2020 at 3:05 PM Jason Keltz <[email protected]> wrote:
> > > ------ Original Message ------ > From: "Nick Couchman" <[email protected]> > To: [email protected]; "Jason Keltz" <[email protected]> > Sent: 5/16/2020 7:41:24 AM > Subject: Re: capital letters in usernames > > On Fri, May 15, 2020 at 3:32 PM Jason Keltz <[email protected]> wrote: > >> Hi. >> >> I notice that if I login to Guacamole with my username in all caps (or >> just any letter), then my logins to Linux/Unix systems will fail. I don't >> suppose there is a way I can tell Guac to convert usernames to lowercase? >> This happens when logging into Linux *or* Windows systems. >> > > This discussion has come up in the past, but we haven't done much to > address it. Yes, Guacamole maintains the case of the username as you enter > it, which, depending upon what types of systems you're logging into, can be > more or less problematic. Obviously in the case of a UNIX-based system, > where usernames can be case-sensitive, that can be a problem. For most > other platforms, it is not. I wonder if maybe we could provide a way with > the Token system to alter the case. I'm thinking something like: > > ${GUAC_USERNAME} - Pass through as entered > ${GUAC_USERNAME:lower} - Convert string to lower-case > ${GUAC_USERNAME:upper} - Convert string to upper-case > > That's just me thinking out loud, at this point - I don't know how > feasible that is, and if it would cause any other issues, but seems like it > would at least allow the most flexibility in not maintaining current > behavior but also allowing situations like you mention where you want to > make sure something is always lower-case, no matter what the user logs in > with. > > The other issue that comes up is that, if you are "stacking" > authentication modules (JDBC + LDAP, for example), the comparison of > usernames between the modules is also currently case-sensitive - so, if I > create a user in the JDBC module called "nick", but log in with an LDAP > account where the username is "Nick", the LDAP account will not get any > permissions for the JDBC user "nick", because they are not considered the > same user. This is something of a pain-point for me, because, while I can > advise users on how they should log in, I cannot control what they use to > log in, and if they user FirstName_LastName (instead of > firstname_lastname), the login will succeed but they may not see everything > they should have permissions to see. So, perhaps, in that case, a > directive in guacamole.properties for the LDAP authentication module, > specifically, that says "convert usernames to lower case" would do the > trick, and might also handle the situation you're seeing? > > I'm interested to hear what others in the community think - I'm throwing > out my thoughts and opinions, but think this is a good discussion to hear > from other folks on. > > Hi Nick, > > I like your idea of the token modifier. However, I could also imagine a > checkbox somewhere "convert usernames to lowercase". Let me know if I > should add as a feature request, or whether there is already something. > > By the way, for whatever reason, my WIndows login doesn't work with the > capitals in the name either! I don't know why. I just retried it, and it > doesn't work. > > That's interesting - my AD environment is quite indifferent to case in the username, but does enforce for the password. I can log in with any variety of upper and lower-case letters for username without any issue. -Nick
