guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <nick.couch...@yahoo.com>
Subject Re: RE: Guac 0.9.13
Date Mon, 31 Jul 2017 01:13:50 GMT
Under the current version you, unfortunately, do not have any options inside Guacamole itself
to accomplish this.  The way I can think of at this point would be to use OpenLDAP with the
Meta or Proxy back-end, and have OpenLDAP present both directory trees under a single server/tree
to Guacamole.  That's not the ideal solution and we certainly want to get Guacamole to the
point where it can handle multiple trees in the same config, but it will work.
I've used the Meta backend before, and it allows you to take two directory trees - say dc=ad1,dc=com
and dc=ad2,dc=com - and combine them in such a way that ad1 appears at dc=ad1,dc=ldap,dc=com
and ad2 at dc=ad2,dc=ldap,dc=com.  You can then query the OpenLDAP instance at the dc=ldap,dc=com
level and it will traverse both trees.  IIRC, it's also smart enough to handle passing through
bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for example, when the bind
request is sent it will translate that to the correct user on the dc=ad2,dc=com side and proxy
the request.  It takes a little work to get set up, but it isn't too bad.
If you have both your AD trees set up in a single forest you can probably accomplish the same
thing - if one is at the root and the other is a tree somewhere in the forest, I'm fairly
certain you can have a LDAP server that has access to both trees.  I'm not an expert on Active
Directory, so I've never gone that route before and cannot speak to how it's accomplished
or even for sure that it's possible, but I believe that was one of the key features behind
AD was the ability to further sub-divide the domains while still maintaining some sort of
top-level authority and view of the entire system.
Anyway, those are a couple of ideas - like I said, unfortunately, nothing native to Guacamole
at this point that will help you out.
Regards,Nick

On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser <James.Fraser@veritec.com.au>
wrote:

#yiv9350867801 #yiv9350867801 -- _filtered #yiv9350867801 {font-family:Helvetica;panose-1:2
11 6 4 2 2 2 2 2 4;} _filtered #yiv9350867801 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv9350867801
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv9350867801 #yiv9350867801 p.yiv9350867801MsoNormal,
#yiv9350867801 li.yiv9350867801MsoNormal, #yiv9350867801 div.yiv9350867801MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv9350867801
a:link, #yiv9350867801 span.yiv9350867801MsoHyperlink {color:blue;text-decoration:underline;}#yiv9350867801
a:visited, #yiv9350867801 span.yiv9350867801MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv9350867801
p.yiv9350867801msonormal0, #yiv9350867801 li.yiv9350867801msonormal0, #yiv9350867801 div.yiv9350867801msonormal0
{margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801 p.yiv9350867801msonormal,
#yiv9350867801 li.yiv9350867801msonormal, #yiv9350867801 div.yiv9350867801msonormal {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
p.yiv9350867801msochpdefault, #yiv9350867801 li.yiv9350867801msochpdefault, #yiv9350867801
div.yiv9350867801msochpdefault {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
span.yiv9350867801msohyperlink {}#yiv9350867801 span.yiv9350867801msohyperlinkfollowed {}#yiv9350867801
span.yiv9350867801emailstyle17 {}#yiv9350867801 p.yiv9350867801msonormal1, #yiv9350867801
li.yiv9350867801msonormal1, #yiv9350867801 div.yiv9350867801msonormal1 {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv9350867801
span.yiv9350867801msohyperlink1 {color:#0563C1;text-decoration:underline;}#yiv9350867801 span.yiv9350867801msohyperlinkfollowed1
{color:#954F72;text-decoration:underline;}#yiv9350867801 span.yiv9350867801emailstyle171 {color:windowtext;}#yiv9350867801
p.yiv9350867801msochpdefault1, #yiv9350867801 li.yiv9350867801msochpdefault1, #yiv9350867801
div.yiv9350867801msochpdefault1 {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
span.yiv9350867801EmailStyle29 {color:windowtext;}#yiv9350867801 .yiv9350867801MsoChpDefault
{font-size:10.0pt;} _filtered #yiv9350867801 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv9350867801
div.yiv9350867801WordSection1 {}#yiv9350867801 
Hi Nick
 
  
 
Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains,
just chasing a bit of guidance of how to target the two different directories if its possible.
 

Cheers
 
  
 
James Fraser • Microsoft Systems Engineer


 
  
 
From: Nick Couchman [mailto:nick.couchman@yahoo.com]
Sent: Monday, 31 July 2017 9:59 AM
To: user@guacamole.incubator.apache.org
Subject: Re: Guac 0.9.13
 
  
 
James,
 
The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole.
 Hopefully that'll be released, soon, maybe even sometime this week.  Don't quote me on
that, but I know the process to get the release approved is moving along right now, so it
shouldn't be too long.
 
  
 
The multiple directory lookup has *not,* yet, been incorporated.  I can't remember if there's
a separate JIRA issue for that one - I feel like there is - if not, you should definitely
open one so we can track status on that.
 
  
 
Regards,
 
Nick
 
  
 
  
 
On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <James.Fraser@veritec.com.au>
wrote:
 
  
 
  
 
I have been reviewing 0.9.13
 
 
 
In particular
 
https://issues.apache.org/jira/browse/GUACAMOLE-101
 
 
 
I am curious if this is now possible? Is it potentially possible to lookup between multiple
directories?
 
 
 
James Fraser • Microsoft Systems Engineer
 
 
 
Mime
View raw message