guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Hankins <jhank...@homewood.k12.al.us>
Subject Re: LDAP+database - Credential duplication?
Date Thu, 10 May 2018 22:19:47 GMT
Felix,

There are some examples of generating the salt and hashing the password
correctly for postgres and mysql in the online docs, for various
programming languages. My use case is similar to yours (postgres+LDAP.) I
needed to create users via script with random passwords in postgres, and I
did it in shell script (bash) using the openssl(1) to generate the random
data, salts and do the hashes, some bash as glue and psql to load the data
in the database. It took me some trial and error to translate what was in
the docs online to work in bash, and I'd be happy to share my script if
it'd be useful to you.

-Jonathan Hankins

On Thu, May 10, 2018 at 5:00 PM Nick Couchman <vnick@apache.org> wrote:

> On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
> f.wolfheimer@googlemail.com> wrote:
>
>> I'm trying to set up guacamole with LDAP authentication and would like to
>> use postgresql as storage for the connection parameters. Looking at the
>> provided database schema files for postgresql (001-create-schema.sql), the
>> user information entered into the database requires a password. I'm
>> wondering whether this means that the LDAP user credentials need to be
>> duplicated and entered into the database? The guacamole manual however
>> suggests that once a user is successfully authenticated using the
>> credentials stored in LDAP, the guacamole database will trust this user and
>> will use the information present in the database for this user (
>> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>>
>
> Yes, this is correct.
>
>> "Data can be manually associated with LDAP users by creating
>> corresponding user accounts within the database which each have the same
>> usernames as valid LDAP users. As long as the username is identical, a
>> successful login attempt against LDAP will be trusted by the database
>> authentication, and that user's associated data will be visible."
>>
>> Actually, I'd like to prevent storing password information in the
>> database and only use the LDAP passwords for authentication. Is this
>> supposed to work? May I just adjust the database schema and leave the
>> password field empty?
>>
> The password for the user from LDAP is not copied to or stored in the
> database.  The database does require a user password to be set; however, if
> you leave this blank when creating users in the admin interface one will be
> randomly generated.  Similarly, if you are importing users directly into
> the database you could generate random values for this field and the LDAP
> authentication will still work, and it will *not* update/store the LDAP
> password in the DB.
>
>
>> BTW: Thanks for providing this great product. I've used it to host
>> workshops for up to 50 people, providing each of them access to a graphical
>> desktop. It's working great. :-)
>>
>>
> Glad you like it and it is working out for you - I always love hearing
> real-life success stories!
>
> -Nick
>


-- 
------------------------------------------------------------------------
Jonathan Hankins    Homewood City Schools

jhankins@homewood.k12.al.us
------------------------------------------------------------------------

-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Mime
View raw message