Granting users permissions after LDAP authentication

[Steve Pierce <st...@flexerasoftware.com>]

Hello,
I was able to get LDAP authentication to work after a bit, but now that my
user is in there they don't have access to do much of anything except change
their interface options. How do I grant them permissions to do things like
connect to rdp sessions or create their own sessions? Any help would be
greatly appreciated.

Thanks,
Steve



--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Granting-users-permissions-after-LDAP-authentication-tp728.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.

Re: Granting users permissions after LDAP authentication

[Mike Jumper <mi...@guac-dev.org>]

On Tue, Apr 4, 2017 at 11:41 AM, Steve Pierce <
stevepierce@flexerasoftware.com> wrote:

> Hello,
> I was able to get LDAP authentication to work after a bit, but now that my
> user is in there they don't have access to do much of anything except
> change
> their interface options. How do I grant them permissions to do things like
> connect to rdp sessions or create their own sessions? Any help would be
> greatly appreciated.
>
>
Are you using any other extensions to provide storage for the connection
data itself? Or are you planning on storing the connection data within the
LDAP directory?

- Mike

Re: Granting users permissions after LDAP authentication

[Nick Couchman <ni...@yahoo.com>]

Mike asked the following follow-up question:

> Are you using any other extensions to provide storage for the connection data itself? Or are you planning on storing the connection data within the LDAP directory?

Which received no response.
The reason Mike asked is because the answer is that it depends on how you're doing authentication and connections with LDAP.  If you're authenticating with LDAP, but using one of the JDBC modules for storing connections, then you need to create the LDAP users you want to assign permissions to in the JDBC module (you can use the guacadmin user to do this, or you can manipulate the database directly) and then assign those users permissions.  Then, then next time you log in under the LDAP account, that user will have the permissions.  This is called "layering" authentication modules, and works as long as the usernames of the modules line up - that is, if you're logging into LDAP with the username "avocado" then you must create a user with that same username in the JDBC module and assign the permissions.
If you're using only the LDAP module, then the answer is that you cannot manage connections from the Guacamole interface - you must use an LDAP tool to manipulate the directory tree directly and then those items will be read in by Guacamole.  You can do some basic permission management (use the member LDAP property to assign the connection to certain users), but it's fairly rudimentary.
See the following manual page for more info on both options:http://guacamole.incubator.apache.org/doc/gug/ldap-auth.html
Regards,Nick
== He has shown you, O man, what is good; And what does the LORD require of you But to do justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- ==



On Thursday, August 31, 2017, 12:37:56 PM EDT, marcosrlopes <ma...@gmail.com> wrote:


Anyone??



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: Granting users permissions after LDAP authentication

[marcosrlopes <ma...@gmail.com>]

Anyone??



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/