guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hankins, Jonathan" <>
Subject Re: AD/LDAP Old/Disabled Users Still Listed?
Date Fri, 14 Jun 2019 19:23:05 GMT
Since I see that the OP is authenticating against AD via LDAP, I just want
to throw this out there: AD stores the cn or sAMAccountName attribute
case-sensitively. Guacamole doesn't do a case-insensitive match (whereas
Windows login does), so I had to make sure that my sAMAccountName / cn
attributes were all lower case (which is what my users are expecting to
type in the Guacamole login box) for authentication to work. Mass-changing
sAMAccountName to lowercase is non-trivial, since many tools to do so work
case-insensitively. I can look up how I managed to script it if anyone gets
stuck like I did.

-Jonathan Hankins

On Fri, Jun 14, 2019 at 10:31 AM Mike Jumper <> wrote:

> On Fri, Jun 14, 2019, 07:06 Zer0Cool <> wrote:
>> Pardon my ignorance, but let me make sure I follow.
>> So you are saying that the ldap filter (and thus results) are likely
>> up-to-date but that the database side of the account does not get
>> deleted/removed from the database when there is no longer a matching LDAP
>> account to go with it?
> Nor would a database account be automatically created for LDAP. The two
> are independent. Guacamole unifies things for accounts having the same
> username, and that common username is the sole association between them.
>  So I would assume that while the account still exists in the database,
>> authentication of the account would fail as the underlying AD/LDAP account
>> is no longer active/pulled in by the filter?
> If you set a password for the database account, authentication using the
> database-specific password will succeed.
>> I presume that means it would be a manual task to go in and delete
>> disbaled
>> AD accounts from the database within Guacamole?
> Yes.
>> For what its worth, this makes sense to me as you wouldn't want the
>> database
>> to delete users/settings in the event it cannot connect to AD temporarily
>> for example.
> Indeed.
> Also, the two systems really are not interconnected in that way. Except
> for having the same username, there is no direct association between
> accounts in the database and within LDAP.
> Both the database and LDAP expose separate and independent sets of data,
> while the web interface unifies that data for presentation to user. With
> the exception of one (the database) trusting the authentication result of
> the other (LDAP), the two function completely independently.
> - Mike

Jonathan Hankins    Homewood City Schools

This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

View raw message