guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steffen Moser (JIRA)" <j...@apache.org>
Subject [jira] [Created] (GUACAMOLE-300) Support posixGroup in LDAP Authentication and Group-based Session Admission
Date Sun, 14 May 2017 11:18:04 GMT
Steffen Moser created GUACAMOLE-300:
---------------------------------------

             Summary: Support posixGroup in LDAP Authentication and Group-based Session Admission
                 Key: GUACAMOLE-300
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-300
             Project: Guacamole
          Issue Type: Improvement
          Components: guacamole-auth-ldap
    Affects Versions: 0.9.12-incubating
         Environment: Oracle Solaris 11.3.19.5.0, Apache Tomcat 8.5.9, OpenLDAP 2.4.30, LDAP
users are organized using the posixGroup scheme.
            Reporter: Steffen Moser
             Fix For: 0.9.13-incubating
         Attachments: LDAP-posixGroup-support_SteffenMoser-20170514.patch

Recently, the auth-ldap module was extended by the ability to grant access to remote terminal
connections based on existing LDAP groups using the seeAlso attribute in Guacamole's LDAP-based
configuration settings. This is a great feature if you've to manage a lot of users which are
already organized in LDAP groups. It works well as long as the groups are of the scheme groupOfNames.
As we have decided for posixGroup (due to other tools' requirements), we currently cannot
use the feature and still have to list all users individually in the Guacamole remote service
configuration. While this could be scripted easily, it is still a work-around which makes
the administration work unnecessarily complex.

A better solution would be to support both schemes, posixGroup and groupOfNames. 

The attached patch will extend the user lookup code by the ability to search not only through
the groupOfNames but also through the posixGroup scheme. The piece of code seems to work with
both schemes in my tests successfully, I am not sure if there are any pitfalls when just combining
the possible results. Maybe introducing a configuration flag to choose whether searching posixGroup
or groupOfNames would be a better approach.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message