Thanks Nick—definitely heading out of my depth here, but are you saying we
don't need to provide an authentication provider at all? Or just not
override the default getAuthorizedConfigurations() function? I'm looking at
the LDAP & JSON auth extension source code and trying to piece together a
minimal skeleton which can accept Credentials and return a User with
associated group. Is there anything more straightforward than those?
Many thanks,
David
On Tue, 18 Jun 2024 at 16:02, Nick Couchman <vn...@apache.org> wrote:
> On Tue, Jun 18, 2024 at 5:31 AM David Lomas <d...@pale-eds.co.uk.invalid>
> wrote:
>
>> Hi,
>>
>> I'm having a little success building a custom service provider for
>> integrating our existing proprietary app for remote access, but I'm hoping
>> I can return the required configuration which will associate a user with an
>> existing user group stored in the JDBC database, rather than having to
>> return explicit connection details—is this possible? The reason is to
>> authenticate users externally from another source, but then give them all
>> the same access to a set of connections stored in a connection group.
>>
>> As a test, I have this:
>>
>> @Override
>> public Map<String, GuacamoleConfiguration>
>> getAuthorizedConfigurations(Credentials credentials) throws
>> GuacamoleException {
>>
>> if (!"test1".equals(credentials.getUsername())) {
>> return null;
>> }
>>
>> if (!"test1".equals(credentials.getPassword())) {
>> return null;
>> }
>>
>> // Successful login. Return configurations.
>> Map<String, GuacamoleConfiguration> configs = new HashMap<String,
>> GuacamoleConfiguration>();
>>
>> // Create new configuration
>> GuacamoleConfiguration config = new GuacamoleConfiguration();
>>
>> config.setProtocol("rdp");
>> config.setParameter("hostname", "10.0.0.1");
>> config.setParameter("port", "3389");
>> config.setParameter("security", "nla");
>> config.setParameter("username", "test001");
>> config.setParameter("password", "pwd001");
>> config.setParameter("ignore-cert", "true");
>>
>> configs.put("Test Connection", config);
>> return configs;
>>
>> }
>>
>> And that works fine connecting to the specific client at 10.0.0.1. I'd
>> like to remove all the config.set...() calls to just return a user group
>> name (which already exists). I tried naively something like this (and
>> variations of 'user-group'):
>>
>> config.setParameter("user-group", "test");
>>
>> But no luck. Is there a way to do this? I feel like the API documentation
>> for the authentication provider might help, but I've been unable to find it
>> via the main docs.
>>
>>
> There is a way to do this, yes, but it isn't as simple as this - the user
> groups are not part of the Connection configuration, they are a part of the
> User object. You'll need to create your own implementation of User and
> implement the getUserGroups() method to provide the group(s) to which you
> want to assign permissions.
>
>
> https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/User.html#getUserGroups()
>
> From there you can skip the getAuthorizedConfigurations() implementation
> and just store the connection configuration in JDBC.
>
> -Nick
>
