guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JoelB <nab...@joelbest.ca>
Subject Re: Restricting access to Connections defined in MySQL using LDAP groups?
Date Mon, 21 Jan 2019 13:37:00 GMT
vnick wrote
> So, just to clarify, you have a LDAPUser, who is part of LDAPGroup inside
> your LDAP Directory, and you create LDAPGroup in the JDBC extension and
> assign permissions to LDAPGroup to access connections?  

I don't need to create the group in the JDBC extension. I can see all my
LDAP groups in the "Groups" section of the UI and can open up an LDAP group
and grant it permissions to use a connection. However if I only do these
steps, the connection does not appear for authenticated LDAP users who are
members of the target LDAP group.

If I then create the group in the JDBC extension and add the LDAP user
manually to that group, the connection will appear for that user. I don't
feel this step should be necessary -- it should query the LDAP group
membership on login and determine that the authenticated user is a member of
the LDAP group and show all connections assigned to that group.


vnick wrote
> In your guacamole.properties file do you have ldap-group-base-dn
> specified?  
> You'll need this property enabled in order for the LDAP extension to
> actually
> enumerate groups within your LDAP directory - otherwise it will not look
> for user groups at all.

Yes, this is configured and I can enumerate all LDAP groups in the admin
console when logged in with an admin user that is also defined in LDAP.


vnick wrote
> Yes, this should work.  There is a JIRA issue out there that deals with a
> slightly nuanced version of this scenario, so I want to make sure I
> understand what you're trying to do that isn't apprearing to work.  Here's
> the JIRA issue:
> 
> https://issues.apache.org/jira/browse/GUACAMOLE-696
> 
> In that issue, the matching user account in JDBC is being assigned to a
> JDBC group, and the permissions are not being passed through because the
> user is authenticated with LDAP and not with JDBC.

I don't think it is the same issue. The user in my case is authenticated
through LDAP and is assigned to the group in LDAP. From reading that issue,
it sounds like the opposite: they want MySQL group membership to allow
access to connections for LDAP-authenticated users. This is currently the
only way I can get it to work and would prefer to have all-LDAP permissions
but have the connections defined in MySQL so I can use concurrency limits.

Thanks for your help!
-Joel

P.S. here's my guacamole.properties just in case it helps:





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Mime
View raw message