guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alder, Steve" <>
Subject Re: groups for user .
Date Tue, 20 Jun 2017 19:29:09 GMT
For ‘strategic business reasons’, I am trying to keep connections in MariaDB and authentication
from AD.  The current product, doesn’t require altering AD.  Not my call.

The plan is/was to have multiple installations of Guacamole allowing access through control-points
into differing secured zones of our network.  One installation would point at AD-group-ZONE1
for authentication, in Guac the admin would assign connections into ‘ZONE1’ to everyone
in AD-group-ZONE1.  Rinse and repeat for ZONE2,3,4, etc.  With the intention that ~600 users
would be using it for access into these zones.  My *NIX sysadmin team has been happily using
it for some time now.  Because the team (~20) nor the connections changes frequently; and
when they do, it is trivial for them to management it internal to the team.  For the mass
population, the changes are just to frequent to manage in this fashion.

I have tried numerous iterations of configuring this and wind up either with ALL users being
displayed in the “Users” tab and having to manually assign each user connections, or only
the AD-group being shown in the “Users” tab but the users (in that group) being unable
to even login to Guac.  I am going to look into the cross-platform scripting to strip the
users from the AD-group and assign them connections in MariaDB.  It spreads the solution’s
footprint out a bit, but I will see where it goes.

From: Mike Jumper <>
Reply-To: "" <>
Date: Tuesday, June 20, 2017 at 14:31
To: "" <>
Subject: Re: groups for user .

On Jun 20, 2017 11:25 AM, "Alder, Steve" <<>>
Thank you so much for the information, and responding.  I am currently in an environment with
multiple thousands of user accounts, and am just POC’ing Guacamole as a replacement for
an existing commercial product.  I think the inability to assign connections (natively) via
group membership might be show-stopper for us at this point.

What about leveraging LDAP or AD?

Though guac's database backend doesn't implement user groups, the LDAP backend inherently
does. Connections themselves are defined using a group-type object.

- Mike

This email transmission and any accompanying attachments may contain CSX privileged and confidential
information intended only for the use of the intended addressee. Any dissemination, distribution,
copying or action taken in reliance on the contents of this email by anyone other than the
intended recipient is strictly prohibited. If you have received this email in error please
immediately delete it and notify sender at the above CSX email address. Sender and CSX accept
no liability for any damage caused directly or indirectly by receipt of this email.
View raw message