guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Duncan <cell...@gmail.com>
Subject Re: LDAP+database - Credential duplication?
Date Fri, 11 May 2018 06:17:16 GMT
Sorry to piggyback on this topic but I have a related question. Is it
possible to configure connections to use the LDAP password without entering
it in the database? I'm authenticating against Active Directory for
Guacamole user passwords but I can't work out how to pass that same
password through to connections configured in the Postgres database.

On Thu, 10 May 2018, 23:00 Nick Couchman, <vnick@apache.org> wrote:

> On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
> f.wolfheimer@googlemail.com> wrote:
>
>> I'm trying to set up guacamole with LDAP authentication and would like to
>> use postgresql as storage for the connection parameters. Looking at the
>> provided database schema files for postgresql (001-create-schema.sql), the
>> user information entered into the database requires a password. I'm
>> wondering whether this means that the LDAP user credentials need to be
>> duplicated and entered into the database? The guacamole manual however
>> suggests that once a user is successfully authenticated using the
>> credentials stored in LDAP, the guacamole database will trust this user and
>> will use the information present in the database for this user (
>> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>>
>
> Yes, this is correct.
>
>> "Data can be manually associated with LDAP users by creating
>> corresponding user accounts within the database which each have the same
>> usernames as valid LDAP users. As long as the username is identical, a
>> successful login attempt against LDAP will be trusted by the database
>> authentication, and that user's associated data will be visible."
>>
>> Actually, I'd like to prevent storing password information in the
>> database and only use the LDAP passwords for authentication. Is this
>> supposed to work? May I just adjust the database schema and leave the
>> password field empty?
>>
> The password for the user from LDAP is not copied to or stored in the
> database.  The database does require a user password to be set; however, if
> you leave this blank when creating users in the admin interface one will be
> randomly generated.  Similarly, if you are importing users directly into
> the database you could generate random values for this field and the LDAP
> authentication will still work, and it will *not* update/store the LDAP
> password in the DB.
>
>
>> BTW: Thanks for providing this great product. I've used it to host
>> workshops for up to 50 people, providing each of them access to a graphical
>> desktop. It's working great. :-)
>>
>>
> Glad you like it and it is working out for you - I always love hearing
> real-life success stories!
>
> -Nick
>

Mime
View raw message