You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2022/01/21 23:45:00 UTC

[jira] [Commented] (GUACAMOLE-536) Add support for arbitrary LDAP bind patterns

    [ https://issues.apache.org/jira/browse/GUACAMOLE-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480297#comment-17480297 ] 

Mike Jumper commented on GUACAMOLE-536:
---------------------------------------

{quote}
... When biding with the user attempting to log on, the bind DN format pattern is not exposed through configuration which imposes unnatural restrictions forcing the user to exist in a single container. ... The use case is that we use Active Directory anddo not allow bind accounts so the restriction prevents all users from accessing the application as our topology is not flat (we need to pick a single container therefor excluding everyone else). ...
{quote}

[~jcasale], I don't think this is the case. Currently, users and groups can definitely exist spread across multiple containers. It's certainly easier to map things within a single tree, but you can instead reference users further up the tree and narrow the truly applicable users/groups with filters.

With the recent addition of multi-LDAP support (GUACAMOLE-957), users need not exist on the same LDAP server. The same LDAP server can even be queried multiple times in different ways, if you prefer that over querying the same server from further up in the tree.

> Add support for arbitrary LDAP bind patterns
> --------------------------------------------
>
>                 Key: GUACAMOLE-536
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-536
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Joseph L. Casale
>            Assignee: Nick Couchman
>            Priority: Minor
>
> The current LDAP authentication scheme can recursively search the base DN only when a bind DN is used. When biding with the user attempting to log on, the bind DN format pattern is not exposed through configuration which imposes unnatural restrictions forcing the user to exist in a single container.
> If the format pattern was exposed for configuration, for DSA's which allow flexible bind patterns such as Active Directory, configuration could allow "DOMAIN
>  %s" or "%s@domain.com" and for those DSA's which do not, you would simply configure the restrictive full DN as the pattern.
> The use case is that we use Active Directory anddo not allow bind accounts so the restriction prevents all users from accessing the application as our topology is not flat (we need to pick a single container therefor excluding everyone else).
> A working Java implementation of an LDAP auth scheme that facilitates this is [Gitblit|http://gitblit.com/properties.html], see theĀ realm.ldap.* configuration properties. Setting the bind pattern to the UPN such as:
> {code:java}
> realm.ldap.bindpattern = ${username}@domain.com
> {code}
> allows the flexible configuration in our Active Directory environment.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)