guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Restricting access to Connections defined in MySQL using LDAP groups?
Date Fri, 18 Jan 2019 21:02:06 GMT
On Fri, Jan 18, 2019 at 11:58 AM JoelB <nabble@joelbest.ca> wrote:

> Hi all, I've managed to get Guacamole 1.0.0 working with my connections
> defined in MySQL and groups defined in LDAP. However, I cannot seem to
> grant
> access to connections based on LDAP group membership. If I assign a
> connection to a group, it does not show up for users of that group when
> they
> login unless I manually add them to the group within MySQL.
>

So, just to clarify, you have a LDAPUser, who is part of LDAPGroup inside
your LDAP Directory, and you create LDAPGroup in the JDBC extension and
assign permissions to LDAPGroup to access connections?  In your
guacamole.properties file do you have ldap-group-base-dn specified?  You'll
need this property enabled in order for the LDAP extension to actually
enumerate groups within your LDAP directory - otherwise it will not look
for user groups at all.


>
> Is it possible to limit access to MySQL-defined connections using LDAP
> group
> membership at this time? We have 2000+ users so granting each of them
> access
> or group membership individually is not possible.
>

Yes, this should work.  There is a JIRA issue out there that deals with a
slightly nuanced version of this scenario, so I want to make sure I
understand what you're trying to do that isn't apprearing to work.  Here's
the JIRA issue:

https://issues.apache.org/jira/browse/GUACAMOLE-696

In that issue, the matching user account in JDBC is being assigned to a
JDBC group, and the permissions are not being passed through because the
user is authenticated with LDAP and not with JDBC.

-Nick

Mime
View raw message