guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: LDAP+database - Credential duplication?
Date Thu, 10 May 2018 22:00:04 GMT
On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
f.wolfheimer@googlemail.com> wrote:

> I'm trying to set up guacamole with LDAP authentication and would like to
> use postgresql as storage for the connection parameters. Looking at the
> provided database schema files for postgresql (001-create-schema.sql), the
> user information entered into the database requires a password. I'm
> wondering whether this means that the LDAP user credentials need to be
> duplicated and entered into the database? The guacamole manual however
> suggests that once a user is successfully authenticated using the
> credentials stored in LDAP, the guacamole database will trust this user and
> will use the information present in the database for this user (
> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>

Yes, this is correct.

> "Data can be manually associated with LDAP users by creating corresponding
> user accounts within the database which each have the same usernames as
> valid LDAP users. As long as the username is identical, a successful login
> attempt against LDAP will be trusted by the database authentication, and
> that user's associated data will be visible."
>
> Actually, I'd like to prevent storing password information in the database
> and only use the LDAP passwords for authentication. Is this supposed to
> work? May I just adjust the database schema and leave the password field
> empty?
>
The password for the user from LDAP is not copied to or stored in the
database.  The database does require a user password to be set; however, if
you leave this blank when creating users in the admin interface one will be
randomly generated.  Similarly, if you are importing users directly into
the database you could generate random values for this field and the LDAP
authentication will still work, and it will *not* update/store the LDAP
password in the DB.


> BTW: Thanks for providing this great product. I've used it to host
> workshops for up to 50 people, providing each of them access to a graphical
> desktop. It's working great. :-)
>
>
Glad you like it and it is working out for you - I always love hearing
real-life success stories!

-Nick

Mime
View raw message