guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: LDAP search vs. bind - what does guacamole use when?
Date Wed, 01 May 2019 19:25:37 GMT
On Wed, May 1, 2019 at 12:06 PM nicoschottelius <
nico.schottelius@ungleich.ch> wrote:

> ...
> The way how things are configured in this particular network is that there
> is one "reading" binding user that can search the tree and find objects.
>
> User can only bind, but cannot search anything.
>

Assuming your users don't need access to those objects, that should still
be OK. Users should still be able to log in to Guacamole using their
credentials. They will simply not be able to access anything they don't
have permission to access.


>
> Is there any way to alter the behaviour in guacamole to switch it around?
> I.e. by adding a flag like ldap-search-with-search-bind-dn: true ?
>

If your LDAP directory is explicitly configured to deny those users access
to those objects, then effectively bypassing the access controls of LDAP is
not a good path forward. If your users authenticating via LDAP *do* need
access to those objects within LDAP, then you should grant those users
access to those objects, perhaps by creating a group with the necessary
access.


>
> As this project is a also a bit time critical, I'd be happy for any
> feedback
> in the direction of "sounds doable" or "absolutely impossible".
>

Neither. It's not a matter of whether it's possible. My feedback in this
case would be: "sounds like it shouldn't be done".

Is there a reason why making code changes to software to add a new
configuration option to work around enforcement of intended access
restrictions is a more inviting solution than simply granting access to the
users in question?

- Mike

Mime
View raw message