guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: LDAP restrictions
Date Wed, 04 Apr 2018 22:33:39 GMT
>
>
> I must be missing some detail about your environment or what you're trying
> to accomplish, here - can you fill in the gaps in my understanding?
>

Sorry, I'm being very dense, here, and it just clicked what you're saying.
Your tree is not set up such that you could just specify:

ldap-user-base-dn: ou=users,dc=domain,dc=com
ldap-user-attribute: uid

And then have it automatically do uid={username},ou=users,dc=domain,dc=com
for the bind DN, without having to have a specific account for searching
the tree?  And, in Active Directory, in particular, you can bind to the
tree no matter where your user account is located by just binding with {
username}@domain.com or DOMAIN\{username}.

So, based on that, now that my brain has started working, I'd say the
following things:
- This is still a "feature" of Active Directory, and isn't widely-supported
across LDAP directory trees.  You're welcome to go to the Apache JIRA page
for Guacamole and file a feature request for this and we'll see if it's
sometihng that can be easily added.
- As I mentioned before, you should be able to create a user account with
fairly limited permissions but still the ability to search the tree for
those users and only read the attributes necessary to allow Guacamole to
work.
- The other option that I've used when hitting this limitation before is to
create a specific ou and alias all of the user accounts that need access to
an application within that OU, thereby creating both the "flat" structure
required for the application to function and also allowing you to continue
to sort the tree as required.  So, something like
ou=Guacamole_Users,dc=domain,dc=com and then
uid=user1,ou=Guacamole_Users,dc=domain,dc=com points to
uid=user1,ou=Users,ou=Department,dc=domain,dc=com.

Sorry for the misunderstanding...if I had thought about it for five more
minutes before clicking send, I'd have got it.

-Nick

Mime
View raw message