LDAP Group membership mapping, LDAP+DATABASE

[Daniel Agostinho <da...@fresenius-kabi.com>]

Hi,

I'm trying to understand if it is possible, or I'm doing anything wrong with this.

So, we already used LDAP+MySQL for users, it's been working fine.
Now, we are trying to map the group membership in the AD groups, to the groups inside Guacamole's DB and groups.

On the Settings/Group we already see the groups from AD, however, it seem that it cannot pick up the users inside of each group.

guacamole.properties:

ldap-username-attribute: SamAccountName

ldap-group-name-attribute: cn
ldap-group-search-filter: (&(objectClass=group)(cn=CUSTOM_GROUPS*))

ldap-member-attribute: member
ldap-member-attribute-type: dn


Cumprimentos/Kind Regards,

Daniel Agostinho

Fresenius Kabi / Labesfal
Lagedo, Santiago de Besteiros
3465-157 Santiago de Besteiros
Portugal
Telefone/Phone +351-232-831-100
Telecópia/Fax +351-232-831-112
daniel.agostinho@fresenius-kabi.com<ma...@fresenius-kabi.com>
www.fresenius-kabi.com<http://www.fresenius-kabi.com>

AVISO DE CONFIDENCIALIDADE: Esta mensagem, incluindo todos os seus anexos, é confidencial dirigindo-se exclusivamente ao(s) respectivo(s) destinatário(s), pelo que a informação nela constante não deverá ser utilizada para outros fins nem, por qualquer meio, divulgada a terceiros. Se recebeu esta mensagem por engano, agradecemos que avise de imediato o remetente e que proceda à eliminação definitiva da informação recebida.

LIMITAÇÃO DE RESPONSABILIDADE: O remetente não pode garantir a segurança da transmissão de informação por via electrónica, pelo que não se responsabiliza por qualquer erro, omissão ou imprecisão em que incorra através do conteúdo da presente mensagem.

CONFIDENTIALITY NOTICE: This message, including all its attached files, is confidential and intended solely to whom it is addressed. Therefore, the information contained herein is not to be used for any other given purpose or disclosed to third parties. If you are not the intended recipient, we kindly request you to notify the sender and promptly delete all received information.
DISCLAIMER: The sender of this message cannot guarantee the security of its transmission and consequently does not accept liability for any error, omission, or integrity issue related to this message.

RE: LDAP Group membership mapping, LDAP+DATABASE

[Daniel Agostinho <da...@fresenius-kabi.com>]

Seems to be working yes.

With the user inside of the LDAP group and nothing else configured.
Thanks



Cumprimentos/Kind Regards,

Daniel Agostinho

Fresenius Kabi / Labesfal
Lagedo, Santiago de Besteiros
3465-157 Santiago de Besteiros
Portugal
Telefone/Phone +351-232-831-100
Telecópia/Fax +351-232-831-112
daniel.agostinho@fresenius-kabi.com<ma...@fresenius-kabi.com>
www.fresenius-kabi.com<http://www.fresenius-kabi.com>

AVISO DE CONFIDENCIALIDADE: Esta mensagem, incluindo todos os seus anexos, é confidencial dirigindo-se exclusivamente ao(s) respectivo(s) destinatário(s), pelo que a informação nela constante não deverá ser utilizada para outros fins nem, por qualquer meio, divulgada a terceiros. Se recebeu esta mensagem por engano, agradecemos que avise de imediato o remetente e que proceda à eliminação definitiva da informação recebida.

LIMITAÇÃO DE RESPONSABILIDADE: O remetente não pode garantir a segurança da transmissão de informação por via electrónica, pelo que não se responsabiliza por qualquer erro, omissão ou imprecisão em que incorra através do conteúdo da presente mensagem.

CONFIDENTIALITY NOTICE: This message, including all its attached files, is confidential and intended solely to whom it is addressed. Therefore, the information contained herein is not to be used for any other given purpose or disclosed to third parties. If you are not the intended recipient, we kindly request you to notify the sender and promptly delete all received information.
DISCLAIMER: The sender of this message cannot guarantee the security of its transmission and consequently does not accept liability for any error, omission, or integrity issue related to this message.

From: Nick Couchman <vn...@apache.org>
Sent: 29 de abril de 2022 11:52
To: user@guacamole.apache.org
Subject: Re: LDAP Group membership mapping, LDAP+DATABASE

Não costuma receber e-mails de vnick@apache.org<ma...@apache.org>. Saiba por que motivo isto é importante<https://aka.ms/LearnAboutSenderIdentification>
*** This message is from an EXTERNAL SENDER - be CAUTIOUS with links and when opening attachments ***

On Fri, Apr 29, 2022 at 6:22 AM Daniel Agostinho <da...@fresenius-kabi.com>> wrote:
Hi,

I'm trying to understand if it is possible, or I'm doing anything wrong with this.

So, we already used LDAP+MySQL for users, it's been working fine.
Now, we are trying to map the group membership in the AD groups, to the groups inside Guacamole's DB and groups.

On the Settings/Group we already see the groups from AD, however, it seem that it cannot pick up the users inside of each group.


The settings page may not show the members of a group - the best way to evaluate this is to assign privileges to some group within the database extension and see if the users who are in that group receive the assigned privileges.

-Nick

Re: LDAP Group membership mapping, LDAP+DATABASE

[Nick Couchman <vn...@apache.org>]

On Fri, Apr 29, 2022 at 6:22 AM Daniel Agostinho <
daniel.agostinho@fresenius-kabi.com> wrote:

> Hi,
>
>
>
> I’m trying to understand if it is possible, or I’m doing anything wrong
> with this.
>
>
>
> So, we already used LDAP+MySQL for users, it’s been working fine.
>
> Now, we are trying to map the group membership in the AD groups, to the
> groups inside Guacamole’s DB and groups.
>
>
>
> On the Settings/Group we already see the groups from AD, however, it seem
> that it cannot pick up the users inside of each group.
>
>
>

The settings page may not show the members of a group - the best way to
evaluate this is to assign privileges to some group within the database
extension and see if the users who are in that group receive the assigned
privileges.

-Nick

>