guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Couchman (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (GUACAMOLE-284) When using ldap with MySQL backend "Account Restrictions" doesn't work
Date Tue, 23 May 2017 12:58:04 GMT

    [ https://issues.apache.org/jira/browse/GUACAMOLE-284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16021156#comment-16021156
] 

Nick Couchman edited comment on GUACAMOLE-284 at 5/23/17 12:58 PM:
-------------------------------------------------------------------

{quote}
While it's true that account restrictions defined within the database auth shouldn't affect
whether another authentication mechanism succeeds/fails, I'd say those restrictions should
still take effect when it comes to providing access to the data actually defined within the
database.
{quote}
I agree.  I was commenting on how it currently works, not, necessarily, on how it should work
:-).  However, the flip-side of this is making sure that it's understood how to properly secure
database accounts in the above scenario, if necessary, to prevent accounts that may not have
a password set on them from being exploited.  That may already be taken care of in the Guacamole
code - I did try to create a database user without a password and log in with it and it did
not work, so this may not be a concern at all?  Anyway, I agree that disabling the account
in the DB module should result in the connection information for that user being inaccessible,
even if another module succeeds.


was (Author: nick.couchman@yahoo.com):
> While it's true that account restrictions defined within the database auth shouldn't
affect whether another authentication mechanism succeeds/fails, I'd say those restrictions
should still take effect when it comes to providing access to the data actually defined within
the database.

I agree.  I was commenting on how it currently works, not, necessarily, on how it should work
:-).  However, the flip-side of this is making sure that it's understood how to properly secure
database accounts in the above scenario, if necessary, to prevent accounts that may not have
a password set on them from being exploited.  That may already be taken care of in the Guacamole
code - I did try to create a database user without a password and log in with it and it did
not work, so this may not be a concern at all?  Anyway, I agree that disabling the account
in the DB module should result in the connection information for that user being inaccessible,
even if another module succeeds.

> When using ldap with MySQL backend "Account Restrictions" doesn't work
> ----------------------------------------------------------------------
>
>                 Key: GUACAMOLE-284
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-284
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap, guacamole-client
>    Affects Versions: 0.9.12-incubating
>            Reporter: Mark van den Boogaard
>
> When using LDAP authentication and a MySQL backend the options under "Account Restrictions"
are not working.
> When we set the option "Disabled" or "Enable/Disable account after" this has no effect.
> For us the users who managing Guacamole (users and connections) do not have access to
LDAP to enable/disable accounts. So it would be nice to do have these options working when
using LDAP authentication with MySQL



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message