guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Pattrick <andy.pattr...@horiba.com>
Subject RE: LDAP and MySQL
Date Thu, 20 Jul 2017 10:13:23 GMT
Hi James,



I also manage my users in LDAP, mainly so that I can enforce multi-factor authentication.
It seems that to assign connections to users I have to explicitly also add them to MySQL too
- they don't just 'appear' in the list. I add the user of the same name with a blank password
and then assign connections (I check that I can't login as that user with a blank password
and I can't).



It's true that if I created a user in MySQL that wasn't also in LDAP then they'd be able to
login. However, as admin I simply choose not to do that and I think you could set up other
sub-admin accounts that don't have the 'create user' permission to prevent others from doing
so while still allowing them to create connections for example.



The docker image works well but does have limitations on passing configuration in. Ideally
a mechanism would exist where you could pass any property through docker, or maybe store your
.properties file on a mapped docker volume, but I don't think it does at the moment. Others
may know more than me on here though.



Cheers Andy



________________________________
From: James Wilson [jameswilson@groupmail.com]
Sent: 20 July 2017 10:49
To: user@guacamole.incubator.apache.org
Subject: LDAP and MySQL

Hi,

I currently use the Guacamole Docker container and have recently setup an LDAP server for
authentication on my network which is being used by multiple services and would also like
to use the MySQL integration as well as it makes the managing of users much nicer from the
administration end. However I require authentication to only be granted when a user is in
the LDAP server. If a user exists within the MySQL authentication but not in LDAP I do not
want the user to be authenticated.

Currently it appears that the user can authenticate through either method and that doesn't
achieve what I am looking for with regards to the LDAP server having the final say. Some reading
through the documentation indicated that by using a parameter "mysql-user-required: true"
within the guacamole.properties file, it forced users to exist in both the MySQL and LDAP
repositories.

However this does not appear to work for the docker version of Guacamole as there is no mechanism
currently of taking that parameter in and placing it within the guacamole.properties file
as there is for the LDAP and MySQL parameters.

Has anyone else run into this issue ? Are there plans to add mysql-user-required as a parameter
for the docker container ?

Any advice would be appreciated.

James



Click here<https://www.mailcontrol.com/sr/19!t2WSmVyDGX2PQPOmvUqrlA1!9RTN29X2thWukPI1zpsgK80qrYpayu5pXUPZSTbL98DokuU73vm7b4Ic+!w==>
to report this email as spam.

Mime
View raw message