GUACAMOLE-374: Migrate CAS documentation to combined native+Docker ap…

…proach.
apache · Nov 21, 2024 · 9bd9985 · 9bd9985
1 parent ea7eb9e
commit 9bd9985
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 73 deletions.
diff --git a/src/cas-auth.md b/src/cas-auth.md
@@ -1,3 +1,10 @@
+---
+myst:
+  substitutions:
+    extArchiveName: guacamole-auth-sso
+    extJarName:     cas/guacamole-auth-sso-cas
+---
+
 CAS Authentication
 ==================
 
@@ -10,95 +17,94 @@ connection information, as it only provides user authentication.
 
 (cas-downloading)=
 
-Downloading the CAS authentication extension
---------------------------------------------
+Downloading and installing the CAS authentication extension
+-----------------------------------------------------------
 
-```{include} include/sso-download.md
+```{include} include/ext-download.md
 ```
 
-The extension for the desired SSO method, in this case
-`guacamole-auth-sso-cas-1.6.0.jar` from within the `cas/` subdirectory, must
-ultimately be placed in `GUACAMOLE_HOME/extensions`.
+Configuring Guacamole for CAS Authentication
+--------------------------------------------
 
-(installing-cas-auth)=
+Guacamole's CAS support requires specifying two properties that describe the
+CAS authentication server and the Guacamole deployment. These properties are
+*absolutely required in all cases*, as they dictate how Guacamole should
+connect to the CAS and how CAS should redirect users back to Guacamole once
+their identity has been confirmed:
 
-Installing CAS authentication
------------------------------
 
-Guacamole extensions are self-contained `.jar` files which are located within
-the `GUACAMOLE_HOME/extensions` directory. *If you are unsure where
-`GUACAMOLE_HOME` is located on your system, please consult
-[](configuring-guacamole) before proceeding.*
+```{eval-rst}
+.. tab:: Native Webapp (Tomcat)
 
-To install the CAS authentication extension, you must:
+   If deploying Guacamole natively, you will need to add a section to your
+   ``guacamole.properties`` that looks like the following:
 
-1. Create the `GUACAMOLE_HOME/extensions` directory, if it does not already
-   exist.
+   .. literalinclude:: include/cas.example.properties
+      :language: ini
 
-2. Copy `guacamole-auth-sso-cas-1.6.0.jar` within `GUACAMOLE_HOME/extensions`.
+   The properties that must be set in all cases for any Guacamole installation
+   using CAS are:
 
-3. Configure Guacamole to use CAS authentication, as described below.
+   .. include:: include/cas.properties.md
+      :parser: myst_parser.sphinx_
 
-(guac-cas-config)=
+.. tab:: Container (Docker)
 
-### Configuring Guacamole for CAS Authentication
+   If deploying Guacamole using Docker Compose, you will need to add a set of
+   environment varibles to the ``environment`` section of your
+   ``guacamole/guacamole`` container that looks like the following 
 
-Guacamole's CAS support requires specifying two properties that describe the
-CAS authentication server and the Guacamole deployment. These properties are
-*absolutely required in all cases*, as they dictate how Guacamole should
-connect to the CAS and how CAS should redirect users back to Guacamole once
-their identity has been confirmed:
+   .. literalinclude:: include/cas.example.yml
+      :language: yaml
 
-`cas-authorization-endpoint`
-: The URL of the CAS authentication server. This should be the full path to the
-  base of the CAS installation.
+   If instead deploying Guacamole by running ``docker run`` manually, these
+   same environment variables will need to be provided using the ``-e`` option.
+   For example:
 
-`cas-redirect-uri`
-: The URI to redirect back to upon successful authentication. Normally this
-  will be the full URL of your Guacamole installation.
+   .. literalinclude:: include/cas.example.txt
+      :language: console
 
-Additional optional properties are available to control how CAS-related data is
-processed, including whether [CAS ClearPass](cas-clearpass) should be used and
-how user group memberships should be derived:
+   The environment variables that must be set in all cases for any Docker-based
+   Guacamole installation using CAS are:
 
-`cas-clearpass-key`
-: If using CAS ClearPass to pass the SSO password to Guacamole, this parameter
-  specifies the private key file to use to decrypt the password. See [the section
-  on ClearPass](cas-clearpass) below.
+   .. include:: include/cas.environment.md
+      :parser: myst_parser.sphinx_
+```
 
-`cas-group-attribute`
-: The CAS attribute that determines group membership, typically "memberOf".
-  This parameter is only required if using CAS to define user group memberships.
-  If omitted, groups aren't retrieved from CAS, and all other group-related
-  properties for CAS are ignored.
+### Additional Configuration Options
 
-`cas-group-format`
-: The format that CAS will use for its group names. Possible values are
-  `plain`, for groups that are simple text names, or `ldap`, for groups that are
-  represented as LDAP DNs. If set to `ldap`, group names are always determined
-  from the last (leftmost) attribute of the DN. If omitted, `plain` is used by
-  default.
+```{eval-rst}
+.. tab:: Native Webapp (Tomcat)
 
-  This property has no effect if cas-group-attribute is not set.
+   Additional optional properties are available to control how CAS-related data
+   is processed, including whether [CAS ClearPass](cas-clearpass) should be used
+   and how user group memberships should be derived:
 
-`cas-group-ldap-base-dn`
-: The base DN to require for LDAP-formatted CAS groups. If specified, only CAS
-  groups beneath this DN will be included, and all other CAS groups will be
-  ignored.
+   .. include:: include/cas-optional.properties.md
+      :parser: myst_parser.sphinx_
 
-  This property has no effect if cas-group-format is not `ldap`.
+.. tab:: Container (Docker)
 
-`cas-group-ldap-attribute`
-: The LDAP attribute to require for LDAP-formatted CAS groups. If specified,
-  only CAS groups that use this attribute for the name of the group will be
-  included. Note that LDAP group names are *always determined from the last
-  (leftmost) attribute of the DN*. Specifying this property will only have the
-  effect of ignoring any groups that do not use the specified attribute to
-  represent the group name.
+   Additional optional environment variables are available to control how
+   CAS-related data is processed, including whether [CAS ClearPass](cas-clearpass)
+   should be used and how user group memberships should be derived:
 
-  This property has no effect if cas-group-format is not `ldap`.
+   .. include:: include/cas-optional.environment.md
+      :parser: myst_parser.sphinx_
 
-(cas-login)=
+   You can also explicitly enable/disable use of CAS support by setting the
+   ``CAS_ENABLED`` environment variable to ``true`` or ``false``:
+
+   ``CAS_ENABLED``
+      Explicitly enables or disables use of the CAS extension. By default, the
+      CAS extension will be installed only if at least one CAS-related
+      environment variable is set.
+
+      If set to ``true``, the CAS extension will be installed regardless of any
+      other environment variables. If set to ``false``, the CAS extension will
+      NOT be installed, even if other CAS-related environment variables have
+      been set.
+```
 
 ### Controlling login behavior
 
@@ -127,18 +133,16 @@ extension-priority: *, cas
 
 (completing-cas-install)=
 
-### Completing the installation
+Completing the installation
+---------------------------
 
-Guacamole will only reread `guacamole.properties` and load newly-installed
-extensions during startup, so your servlet container will need to be restarted
-before CAS authentication can be used. *Doing this will disconnect all active
-users, so be sure that it is safe to do so prior to attempting installation.*
-When ready, restart your servlet container and give the new authentication a
-try.
+```{include} include/ext-completing.md
+```
 
 (cas-clearpass)=
 
-### Using CAS ClearPass
+Using CAS ClearPass
+-------------------
 
 CAS has a function called ClearPass that can be used to cache the password used
 for SSO authentication and make that available to services at a later time.
@@ -149,6 +153,6 @@ more information can be found on the Apereo CAS wiki at the following URL:
 Once you have CAS configured for credential caching, you need to configure the
 service with a keypair for passing the credential securely. The public key gets
 installed on the CAS server, while the private key gets configured with the
-cas-clearpass-key property. The private key file needs to be in RSA PKCS8
+`cas-clearpass-key property`. The private key file needs to be in RSA PKCS8
 format.
 
diff --git a/src/include/cas-optional.properties.in b/src/include/cas-optional.properties.in
@@ -0,0 +1,46 @@
+#
+# If using CAS ClearPass to pass the SSO password to Guacamole, this parameter
+# specifies the private key file to use to decrypt the password. See [the section
+# on ClearPass](cas-clearpass) below.
+#
+cas-clearpass-key: /path/to/private-key.pem
+
+#
+# The CAS attribute that determines group membership, typically "memberOf".
+# This parameter is only required if using CAS to define user group memberships.
+# If omitted, groups aren't retrieved from CAS, and all other group-related
+# properties for CAS are ignored.
+#
+cas-group-attribute: memberOf
+
+#
+# The format that CAS will use for its group names. Possible values are
+# `plain`, for groups that are simple text names, or `ldap`, for groups that are
+# represented as LDAP DNs. If set to `ldap`, group names are always determined
+# from the last (leftmost) attribute of the DN. If omitted, `plain` is used by
+# default.
+#
+# This property has no effect if cas-group-attribute is not set.
+#
+cas-group-format: plain
+
+#
+# The base DN to require for LDAP-formatted CAS groups. If specified, only CAS
+# groups beneath this DN will be included, and all other CAS groups will be
+# ignored.
+#
+# This property has no effect if cas-group-format is not `ldap`.
+#
+cas-group-ldap-base-dn: ou=groups,dn=example,dn=net
+
+#
+# The LDAP attribute to require for LDAP-formatted CAS groups. If specified,
+# only CAS groups that use this attribute for the name of the group will be
+# included. Note that LDAP group names are *always determined from the last
+# (leftmost) attribute of the DN*. Specifying this property will only have the
+# effect of ignoring any groups that do not use the specified attribute to
+# represent the group name.
+#
+# This property has no effect if cas-group-format is not `ldap`.
+#
+cas-group-ldap-attribute: cn
diff --git a/src/include/cas.properties.in b/src/include/cas.properties.in
@@ -0,0 +1,11 @@
+#
+# The URL of the CAS authentication server. This should be the full path to the
+# base of the CAS installation.
+#
+cas-authorization-endpoint: https://cas.example.net
+
+#
+# The URI to redirect back to upon successful authentication. Normally this
+# will be the full URL of your Guacamole installation.
+#
+cas-redirect-uri: https://guac.example.net