On Sat, 20 Apr 2024 15:52:58 -0400 Nick Couchman <vn...@apache.org> wrote:
> > > > > > > I believe the issue that Stephan is describing is that, when the user > > logs > > > in to Guacamole, and the remote LDAP server that is authenticating the > > user > > > logs a client IP address, it should log the IP address of the browser > > (far > > > end client) and not the IP address of the Guacamole Client (tomcat) > > system. > > > I'm just trying to get clarity from Stephan on whether this is what he's > > > actually trying to do and why. > > > > > > -Nick > > > > Yes, Nick, you are exactly on the right track here. And I am really not in > > a > > logging question, but truely in the authentication process where I want to > > know the far end client. > > > > > After looking at this a bit more, I cannot find a way, at least in the > Apache LDAP API that we use, to configure a client IP or send any sort of a > message that will pass that information through to the client, so I'm not > sure how feasible this actually is. RADIUS uas the NAS IP designed > specifically for this type of scenario, but I'm not finding any sort of > feature similar to NAS IP that allows for this kind of messaging. > > -Nick Hello Nick, first of all, thank you for looking into the issue. So please let me ask this as a real question and no offence. Why does the project _at all_ use a rather complicated API for authentication instead of "outsourcing" the function into a simple called hook (call it a script), and let this implement the wanted api to ldap, mysql, radius or just about anything that might be needed. Still in the end an authentication is no more than giving parameters (like username, password, or client ip or whatever the caller (i.e. guacamole) has) and getting the simple answer: yes (authenticated) or no (login failed). If you cut off the whole process at this point the whole story gets a lot more flexible, as anyone can then implement his needed hook (script) for his needs. You may then distribute such hooks inside the project for standard APIs like ldap or the like - or leave it to the users to make/find their own. To me, designing (and coding) software since the 1980s, this is a pretty clear design decision to be taken. Regards, Stephan --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
