CAS user attributes and logout issues

classic Classic list List threaded Threaded
4 messages Options
xia
Reply | Threaded
Open this post in threaded view
|

CAS user attributes and logout issues

xia
Hi,

Guacamole is an incredible project - LOVE IT - ...but recently I've strayed
into trying to make it work with CAS...I'm thinking I may have wandered into
a dark forgotten corner...

Two questions...I can't seem to resolve...

1. I've configured the CAS extension (with Clearpass).  Is there a way to
get the extension to pull user attributes (such as group membership) from
the CAS session (they are being sent and logged by Guacamole, but don't seem
to resolve as group membership) or pull them from LDAP?  

The database seems to work (mysql, and that's where my connections are) but
I'd prefer to not have to replicate group memberships in the database...my
current LDAP-based Guacamole has groups and connections in the database, but
pulls group associations with the LDAP-authentication.

2. Logout with CAS does not seem to be acting sane (inconsistent,
occasionally bounces back and forth between CAS and Guacamole, sometimes
lands on CAS login...never quite logging the user out, often resulting in
Guacamole errors), yet I see no settings that pertain to logout...what am I
missing?  Please help...

Best uRegards,

Stew




--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

xia
Reply | Threaded
Open this post in threaded view
|

Re: CAS user attributes and logout issues

xia
Ok, I may have answered my own questions on this by finding the Jira site (I
apologize for posting before looking more carefully...) and noting that
there are PRs that cover some/most of this.  It appears that the only
handling of CAS attributes is to convert them to tokens, so no handling of
groups (wondering if I can somehow make connection decisions based on
tokens...something to play with).  Still wonder if there's a way to pull
attributes from LDAP...(I'm guessing not yet) ¯\_(ツ)_/¯

And...no logout (yet)...Is anyone actually using any of the SSO modules in a
production environment? If so, I'd like to hear what they do... That does
seem to be a fairly significant security defect...



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CAS user attributes and logout issues

vnick
On Wed, Nov 27, 2019 at 1:27 PM xia <[hidden email]> wrote:
Ok, I may have answered my own questions on this by finding the Jira site (I
apologize for posting before looking more carefully...) and noting that
there are PRs that cover some/most of this.  It appears that the only
handling of CAS attributes is to convert them to tokens, so no handling of
groups (wondering if I can somehow make connection decisions based on
tokens...something to play with).  Still wonder if there's a way to pull
attributes from LDAP...(I'm guessing not yet) ¯\_(ツ)_/¯


Yep, you are correct - the CAS extension needs to implement attributes, and there is a PR out there that handles this.  It should also be possible to implement group handling in the CAS module - basically just need to allow the config file to specify what CAS attribute will contain group names and parse them out, and then implement the bits that would provide that informatoin to other components.  Very doable, just needs to be done.
 
And...no logout (yet)...Is anyone actually using any of the SSO modules in a
production environment? If so, I'd like to hear what they do... That does
seem to be a fairly significant security defect...


I did use CAS for a while in production; however, I was doing it without ClearPass and I found it more useful to just authenticate straight to AD and have the user password available as a token to use when logging into RDP servers.  I do intend to go back and re-work things with CAS + ClearPass + Guacamole so that I have the best of all three worlds, just have not gotten around to it, yet.

-Nick
xia
Reply | Threaded
Open this post in threaded view
|

Re: CAS user attributes and logout issues

xia
Hi Nick-

Thanks for the reply.

Since it needed doing, and I wanted it...I figured I'd take a crack at doing
it.  I've created a pull request for a proposed and functioning solution to
PR GUACAMOLE-793.  It works (at least for my use-case)!  Needs doc, and
probably a few other things (which I suppose will come with review).  

For now it adds two more configuration options to guacamole.properies:

1. To set the attribute used for group membership:
cas-group-attribute: memberOf

2. To "clean up" DNs when the backing store for CAS is LDAP:
cas-group-dn-format: CN=%s,OU=People,DC=example,DC=com
This option allows the extention to receive a full DN specification from CAS
such as "CN=foo,OU=People,DC=example,DC=com" and reduce it to "foo."  This
parameter should be omitted for CAS that isn't LDAP-backed.

Now if I could figure out how to make Logout work, I can get on with
deploying this to production...would you have any guidance on an
architecturally acceptable way to implement that?  How did you do it when
you ran CAS in production?

--Stew



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]