On Fri, Feb 23, 2024 at 7:48 AM <u...@alyn.org> wrote: > Thanks for the quick reply, Nick. > > > > Can you point out a justified reason for the LDAP module behavior you were > mentioning? As far as I can think of, there shouldn’t be any practical > reason for not being able to use the search user’s binding in order to > query the logon user’s memberships in guacConfigGroup objects. > > >
It's actually quite practical and quite intentionally designed to behave that way. It allows for the LDAP extension to make use of the security built in to the LDAP directory, so that you can restrict access to connections by simply using LDAP ACLs to restrict what the user can see. I would imagine that, at some point, we may provide alternatives within the implementation to this - a configuration option that makes it behave differently - but I would also expect we would retain this as the default behavior. > In any case, if this is how it is implemented I reckon that I could simply > revert back to using the plain user-mapping.xml fie, hoping that header > authentication works fine with it. So getting back to my original question, > is there a known way I get access to the guacamole-auth-header source code, > or alternatively get assistance from its authors in order to add support > for base64 encoding? > > > The user-mapping.xml file will not work because it does not "layer" with any of the other modules, for a couple of reasons. One is that it sort of behaves like the LDAP module does, in one respect, where the ability to get access to the connections defined in the file is based on you authenticating with a valid username *and* password as defined in the file - and if you're not entering a password, or entering a password that doesn't match the one in the file, you're not going to get the connections as defined in the file. The extension for storing connections that will allow you to use Header, SSO, etc., is really the JDBC module - it's very much designed to be a flexible back-end that works well with most of the other modules. The source code for guacamole-client can be found here: https://github.com/apache/guacamole-client with the header module, specifically, here: https://github.com/apache/guacamole-client/tree/master/extensions/guacamole-auth-header I was the original author of the header module, so I'm fairly familiar with the code. Also, a quick Google search for "how to detect base64 encoding in Java" turns up some options that should be pretty straight-forward: String stringToBeChecked = "..."; boolean isBase64 = Base64.isArrayByteBase64(stringToBeChecked.getBytes()); (from https://stackoverflow.com/questions/8571501/how-to-check-whether-a-string-is-base64-encoded-or-not ). Should be easy enough to add that check into the Header module where it gets the username, and then decode if it believes it is Base64 encoded. -Nick >
