On Fri, Sep 13, 2024 at 9:36 AM Richard Hawkins < richard.hawk...@medctrbarbour.org> wrote:
> And on further notice. You don't want to use the database internally in > guacamole. I don't know if that's possible it might be. Sorry I couldn't > help on that. > > ------------------------------ > > You can definitely apply it to active directories. You can even set up > groups at one time I had this working and it worked really well, but I > wanted MFA authentication so I removed all the active directories and went > strictly with MFA. I think I read somewhere I couldn’t use active directory > and MFA at the same time. There’s probably better solutions now that was a > couple of years ago. I’ve been using guacamole for about five years or so. > It works really well once you got going good. > == > I am testing Apache Guacamole with the purpose to deploy it in k8s. > Deploying it locally and reading the manual I was not able to answer the > questions arised. > Here: > https://guacamole.apache.org/doc/gug/configuring-guacamole.html > Is said something like you have to look into a specific auth plugin on how > to manage users. > In auth plugin guides I can't find any information which would point how > it creates (or not creates the users). > This is the reason why I am forced to ask community/maintainers for help > to understand the best way to go. We have two requirements: > 1. We don't want to maintain the user list on the guacamole side. We use > Active Directory. We have Pomerium in k8s which is able to proxy HTTP > header with user name to Apache Guacamole. Or we can use OpenID. But the > biggest issue is if Guacamole still needs the list of users on it's side? > Or will it login any user? Pomerium has AD Groups based access. So, if > Pomerium allows proxy request to Guacamole, then this user should have the > ability to sign in. In simple words, the question is: What auth we can use, > so Apache Guacamole would be able to login the user without having the list > of users in its own filesystem/db. > The answer is kind of - if you're using a database to store connections, you'll also need to store information on permissions, which means storing users and groups. HOWEVER, we have a couple of things that should make this much easier to manage so that you don't have to worry as much about maintaining the authentication information in the database: * You can set up the database extensions to auto-create users when they are successfully authenticated by another module: https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users * You can use group membership in your authentication mechanism (LDAP, OpenID, SAML, etc.), and match up those groups on the Guacamole DB side. This is specifically documented for LDAP + Database integration, but the overall principles apply to Database + SAML/OpenID/RADIUS/CAS/etc.: https://guacamole.apache.org/doc/gug/ldap-auth.html#associating-ldap-with-a-database . Using those two items, you should be able to do things like create a group in Guacamole and assign it permissions, and then any users who are members of that same group in AD will get those permissions without having to specifically create them or assign them individual permissions. Hopefully this makes sense, but feel free to post back if you have further questions. > 2. The connection provisioning is not supported as far as I can see. We > could create a k8s job which will be retrieving the list of targets from > our internal systems. Then creating connections via REST API. Is this the > only possible solution in our case? > > I'm not sure exactly what you mean when you say that "connection provisioning is not supported" - it certainly is supported, through the following methods: * Manually enter connections on the Guacamole interface. Obviously if you have a lot of connections, this could take a long time. * Use the REST API (sorry, we don't have very good documentation for that at the moment) and script or automate the provisioning of connections from some system into the Guacamole REST API. * If you're using the database for storing connection information, you can also insert the data directly into the database, so you can automate that from some other system of record, as well, and just manually put the information into the underlying DB: https://guacamole.apache.org/doc/gug/jdbc-auth.html#modifying-data-manually. * The JSON authentication extension lets you do some cool stuff with authenticating users from another system and providing their connections via encrypted JSON at the time of authentication, allowing you to use Guacamole as a remote access system without having to maintain any connection, user, group, etc. information within Guacamole: https://guacamole.apache.org/doc/gug/json-auth.html. * If you're adept at Java coding, or like a good challenge, you can also write a custom extension that queries your system of record and presents connections to users based on that. * Finally, version 1.6.0 of Guacamole, when it is released, will include a bulk import function that allows importing connections from a CSV, JSON, and/or YAML file. This will be available both via the management GUI and the REST API: https://issues.apache.org/jira/browse/GUACAMOLE-926. -Nick
