LDAP with SAML, SSH keys, and MacOS issues

[Michael Hess <mi...@nols.edu.INVALID>]

Hey folks!

I want to enable LDAP in my Guac Docker, I added the ldap environment variables to the docker-compose.yml, removed the image, and did "docker compose up" but it didn't add the .jar within the image/container. How do I go about that?

Then, I'm using Azure for SSO, will the guac server take that username and somehow allow it to check against ldap to use the ${GUAC_USERNAME} and password tag to pass through?

Then, can I have each user assign their own ssh private key somewhere so they don't have to enter it into a new connection for each server themselves? I'd prefer to create all connections, so nobody else has to, and just assign by groups. And the host key box doesn't work, fails to connect, taking the key directly from known_hosts.

Lastly, cut/paste doesn't work on a mac client from a mac host. The Alt key maps to the windows key, and the windows (whatever it is on mac) doesn't do anything. The slide cut/past box won't work in either direction.

Thanks for any insight!

Michael Hess

Re: LDAP with SAML, SSH keys, and MacOS issues

[Michael Hess <mi...@nols.edu.INVALID>]

Thank you, Nick. That's what I suspected.

Got LDAP working, boneheaded typo on my part. I may just do LDAP with TOTP then. Would be great if SSO worked, followed by the bind user being able to at least show users and groups for config purposes, even if it can't get the password, which totally makes sense!

Mac is a pain for everything. I'll try key mappings on the host/client to see if I can make it work satisfactorily.

Thank you for confirming my suspicions!

Michael
________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Friday, February 3, 2023 3:05 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: LDAP with SAML, SSH keys, and MacOS issues

On Fri, Feb 3, 2023 at 4:54 PM Michael Hess
<mi...@nols.edu.invalid> wrote:
>
> Hey folks!
>
> I want to enable LDAP in my Guac Docker, I added the ldap environment variables to the docker-compose.yml, removed the image, and did "docker compose up" but it didn't add the .jar within the image/container. How do I go about that?
>
> Then, I'm using Azure for SSO, will the guac server take that username and somehow allow it to check against ldap to use the ${GUAC_USERNAME} and password tag to pass through?

This configuration probably won't work quite as you expect it for a
couple of reasons:
* If your users are logging in with Azure SSO (SAML), then Guacamole
will have no access to the password for the user.
* In the LDAP extension, all of the transactions with LDAP after the
initial search for the user are done with the credentials of the user
who is logging in to Guacamole. This is regardless of whether you have
a bind DN and password specified in the configuration file - as soon
as Guacamole finds a user with the bind credentials you specify in the
configuration file, it un-binds and then attempts to re-bind using the
LDAP object plus the password of the user who is logging in. Since
Azure SSO (SAML) has authenticated your user, there won't be a
password, and the LDAP module will never get past attempting to
authenticate that user, which is probably won't even try to do in
absence of a password and with an already-successful authentication
from SAML.

>
> Then, can I have each user assign their own ssh private key somewhere so they don't have to enter it into a new connection for each server themselves? I'd prefer to create all connections, so nobody else has to, and just assign by groups. And the host key box doesn't work, fails to connect, taking the key directly from known_hosts.

This has been discussed before, but there currently is not a way to
set per-user credential configurations outside of the ${GUAC_USERNAME}
and ${GUAC_PASSWORD} tokens, which only work if your users are
actually entering both a username and password. I suspect it'll show
up in Guacamole before too long - there are just too many good use
cases for such a setup to not support something like that.

>
> Lastly, cut/paste doesn't work on a mac client from a mac host. The Alt key maps to the windows key, and the windows (whatever it is on mac) doesn't do anything. The slide cut/past box won't work in either direction.

Using what protocol? VNC, I'm guessing? I've managed to get access to
a Mac with VNC a couple of times to do some debugging work on the VNC
bits, but don't have a lot of experience, nor consistent access to a
Mac platform, to try this out at the moment.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: LDAP with SAML, SSH keys, and MacOS issues

[Nick Couchman <vn...@apache.org>]

On Fri, Feb 3, 2023 at 4:54 PM Michael Hess
<mi...@nols.edu.invalid> wrote:
>
> Hey folks!
>
> I want to enable LDAP in my Guac Docker, I added the ldap environment variables to the docker-compose.yml, removed the image, and did "docker compose up" but it didn't add the .jar within the image/container. How do I go about that?
>
> Then, I'm using Azure for SSO, will the guac server take that username and somehow allow it to check against ldap to use the ${GUAC_USERNAME} and password tag to pass through?

This configuration probably won't work quite as you expect it for a
couple of reasons:
* If your users are logging in with Azure SSO (SAML), then Guacamole
will have no access to the password for the user.
* In the LDAP extension, all of the transactions with LDAP after the
initial search for the user are done with the credentials of the user
who is logging in to Guacamole. This is regardless of whether you have
a bind DN and password specified in the configuration file - as soon
as Guacamole finds a user with the bind credentials you specify in the
configuration file, it un-binds and then attempts to re-bind using the
LDAP object plus the password of the user who is logging in. Since
Azure SSO (SAML) has authenticated your user, there won't be a
password, and the LDAP module will never get past attempting to
authenticate that user, which is probably won't even try to do in
absence of a password and with an already-successful authentication
from SAML.

>
> Then, can I have each user assign their own ssh private key somewhere so they don't have to enter it into a new connection for each server themselves? I'd prefer to create all connections, so nobody else has to, and just assign by groups. And the host key box doesn't work, fails to connect, taking the key directly from known_hosts.

This has been discussed before, but there currently is not a way to
set per-user credential configurations outside of the ${GUAC_USERNAME}
and ${GUAC_PASSWORD} tokens, which only work if your users are
actually entering both a username and password. I suspect it'll show
up in Guacamole before too long - there are just too many good use
cases for such a setup to not support something like that.

>
> Lastly, cut/paste doesn't work on a mac client from a mac host. The Alt key maps to the windows key, and the windows (whatever it is on mac) doesn't do anything. The slide cut/past box won't work in either direction.

Using what protocol? VNC, I'm guessing? I've managed to get access to
a Mac with VNC a couple of times to do some debugging work on the VNC
bits, but don't have a lot of experience, nor consistent access to a
Mac platform, to try this out at the moment.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org