guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: AD/LDAP Old/Disabled Users Still Listed?
Date Tue, 11 Jun 2019 18:45:29 GMT
On Tue, Jun 11, 2019 at 5:34 AM Zer0Cool <melin3710@gmail.com> wrote:

> Guac: 1.0.0
> OS: CentOS 7.6
>
> Using the LDAP extension to connect with a pretty simple AD and using a
> mariaDB database for authentication/users (aka not changing the AD/LDAP
> side) with LDAPS.
>
> Using the following filter via "ldap-user-search-filter" in
> guacamole.properties:
>
> (&(objectCategory=person)(objectClass=user)(userAccountControl=512))
>
> Essentially this should (and seems to initially) filter out any account
> that
> is not an enabled/active standard user account with a password that
> expires.
> So accounts with passwords that do not expire should not be listed and
> disabled accounts should not be listed.
>
> Periodically I disable accounts for users who are no longer active. However
> these accounts appear to stay visible in the list of users in Guacamole. I
> have not tried logging into an old account to see if it works yet but am
> wondering why these do not get removed when they no longer meet the filter
> criteria?
>

My guess would be that database accounts still exist for those users.

- Mike

Mime
View raw message