You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Felix Wolfheimer <f....@googlemail.com> on 2018/05/10 19:21:00 UTC
LDAP+database - Credential duplication?
I'm trying to set up guacamole with LDAP authentication and would like to
use postgresql as storage for the connection parameters. Looking at the
provided database schema files for postgresql (001-create-schema.sql), the
user information entered into the database requires a password. I'm
wondering whether this means that the LDAP user credentials need to be
duplicated and entered into the database? The guacamole manual however
suggests that once a user is successfully authenticated using the
credentials stored in LDAP, the guacamole database will trust this user and
will use the information present in the database for this user (
https://guacamole.apache.org/doc/gug/ldap-auth.html):
"Data can be manually associated with LDAP users by creating corresponding
user accounts within the database which each have the same usernames as
valid LDAP users. As long as the username is identical, a successful login
attempt against LDAP will be trusted by the database authentication, and
that user's associated data will be visible."
Actually, I'd like to prevent storing password information in the database
and only use the LDAP passwords for authentication. Is this supposed to
work? May I just adjust the database schema and leave the password field
empty?
BTW: Thanks for providing this great product. I've used it to host
workshops for up to 50 people, providing each of them access to a graphical
desktop. It's working great. :-)
Re: LDAP+database - Credential duplication?
Posted by Felix Wolfheimer <f....@online.de>.
Hi Jonathan,
thanks a lot for your offering! If you like to share the script you use
to create the database entries, this would be useful for me. For the
workshop use-case I indeed create all the accounts in LDAP with random
passwords using a script, the SQL part of this is still missing though
and I started with creating a user-mapping.xml for Guacamole instead.
But in order to be more flexible, when it comes to the creation of
additional users/sessions, the database approach seems more convenient.
Thanks a lot and best regards
Felix
Am Donnerstag, den 10.05.2018, 22:19 +0000 schrieb Jonathan Hankins:
> Felix,
>
> There are some examples of generating the salt and hashing the
> password correctly for postgres and mysql in the online docs, for
> various programming languages. My use case is similar to yours
> (postgres+LDAP.) I needed to create users via script with random
> passwords in postgres, and I did it in shell script (bash) using the
> openssl(1) to generate the random data, salts and do the hashes, some
> bash as glue and psql to load the data in the database. It took me
> some trial and error to translate what was in the docs online to work
> in bash, and I'd be happy to share my script if it'd be useful to
> you.
>
> -Jonathan Hankins
>
Re: LDAP+database - Credential duplication?
Posted by Jonathan Hankins <jh...@homewood.k12.al.us>.
Felix,
There are some examples of generating the salt and hashing the password
correctly for postgres and mysql in the online docs, for various
programming languages. My use case is similar to yours (postgres+LDAP.) I
needed to create users via script with random passwords in postgres, and I
did it in shell script (bash) using the openssl(1) to generate the random
data, salts and do the hashes, some bash as glue and psql to load the data
in the database. It took me some trial and error to translate what was in
the docs online to work in bash, and I'd be happy to share my script if
it'd be useful to you.
-Jonathan Hankins
On Thu, May 10, 2018 at 5:00 PM Nick Couchman <vn...@apache.org> wrote:
> On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
> f.wolfheimer@googlemail.com> wrote:
>
>> I'm trying to set up guacamole with LDAP authentication and would like to
>> use postgresql as storage for the connection parameters. Looking at the
>> provided database schema files for postgresql (001-create-schema.sql), the
>> user information entered into the database requires a password. I'm
>> wondering whether this means that the LDAP user credentials need to be
>> duplicated and entered into the database? The guacamole manual however
>> suggests that once a user is successfully authenticated using the
>> credentials stored in LDAP, the guacamole database will trust this user and
>> will use the information present in the database for this user (
>> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>>
>
> Yes, this is correct.
>
>> "Data can be manually associated with LDAP users by creating
>> corresponding user accounts within the database which each have the same
>> usernames as valid LDAP users. As long as the username is identical, a
>> successful login attempt against LDAP will be trusted by the database
>> authentication, and that user's associated data will be visible."
>>
>> Actually, I'd like to prevent storing password information in the
>> database and only use the LDAP passwords for authentication. Is this
>> supposed to work? May I just adjust the database schema and leave the
>> password field empty?
>>
> The password for the user from LDAP is not copied to or stored in the
> database. The database does require a user password to be set; however, if
> you leave this blank when creating users in the admin interface one will be
> randomly generated. Similarly, if you are importing users directly into
> the database you could generate random values for this field and the LDAP
> authentication will still work, and it will *not* update/store the LDAP
> password in the DB.
>
>
>> BTW: Thanks for providing this great product. I've used it to host
>> workshops for up to 50 people, providing each of them access to a graphical
>> desktop. It's working great. :-)
>>
>>
> Glad you like it and it is working out for you - I always love hearing
> real-life success stories!
>
> -Nick
>
--
------------------------------------------------------------------------
Jonathan Hankins Homewood City Schools
jhankins@homewood.k12.al.us
------------------------------------------------------------------------
--
This e-mail is intended only for the recipient and may contain confidential
or proprietary information. If you are not the intended recipient, the
review, distribution, duplication or retention of this message and its
attachments is prohibited. Please notify the sender of this error
immediately by reply e-mail, and permanently delete this message and its
attachments in any form in which they may have been preserved.
Re: LDAP+database - Credential duplication?
Posted by Chris Duncan <ce...@gmail.com>.
Thanks for the clarification. Authentication is now working wonderfully.
On 11 May 2018 at 20:31, Nick Couchman <ni...@gmail.com> wrote:
>
> On Fri, May 11, 2018 at 3:26 PM, Chris Duncan <ce...@gmail.com> wrote:
>
>> Thanks for the pointer, however, could you clarify where I make use of
>> these parameter tokens? When I configure a connection do I put the token
>> variables in the username and password fields?
>>
>
> Yes, exactly - so, in the username field you would put ${GUAC_USERNAME}
> and in the password field ${GUAC_PASSWORD}.
>
> -Nick
>
--
*Regards,*
*Chris*
Re: LDAP+database - Credential duplication?
Posted by Nick Couchman <ni...@gmail.com>.
On Fri, May 11, 2018 at 3:26 PM, Chris Duncan <ce...@gmail.com> wrote:
> Thanks for the pointer, however, could you clarify where I make use of
> these parameter tokens? When I configure a connection do I put the token
> variables in the username and password fields?
>
Yes, exactly - so, in the username field you would put ${GUAC_USERNAME} and
in the password field ${GUAC_PASSWORD}.
-Nick
Re: LDAP+database - Credential duplication?
Posted by Chris Duncan <ce...@gmail.com>.
Thanks for the pointer, however, could you clarify where I make use of
these parameter tokens? When I configure a connection do I put the token
variables in the username and password fields?
On Fri, 11 May 2018, 07:56 Mike Jumper, <mi...@glyptodon.org> wrote:
> On Thu, May 10, 2018 at 11:17 PM, Chris Duncan <ce...@gmail.com> wrote:
>
>> ...
>>
> Is it possible to configure connections to use the LDAP password without
>> entering it in the database? I'm authenticating against Active Directory
>> for Guacamole user passwords but I can't work out how to pass that same
>> password through to connections configured in the Postgres database.
>>
>
> Yes. Use parameter tokens:
>
>
> http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
>
> - Mike
>
>
Re: LDAP+database - Credential duplication?
Posted by Mike Jumper <mi...@glyptodon.org>.
On Thu, May 10, 2018 at 11:17 PM, Chris Duncan <ce...@gmail.com> wrote:
> ...
>
Is it possible to configure connections to use the LDAP password without
> entering it in the database? I'm authenticating against Active Directory
> for Guacamole user passwords but I can't work out how to pass that same
> password through to connections configured in the Postgres database.
>
Yes. Use parameter tokens:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
- Mike
Re: LDAP+database - Credential duplication?
Posted by Chris Duncan <ce...@gmail.com>.
Sorry to piggyback on this topic but I have a related question. Is it
possible to configure connections to use the LDAP password without entering
it in the database? I'm authenticating against Active Directory for
Guacamole user passwords but I can't work out how to pass that same
password through to connections configured in the Postgres database.
On Thu, 10 May 2018, 23:00 Nick Couchman, <vn...@apache.org> wrote:
> On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
> f.wolfheimer@googlemail.com> wrote:
>
>> I'm trying to set up guacamole with LDAP authentication and would like to
>> use postgresql as storage for the connection parameters. Looking at the
>> provided database schema files for postgresql (001-create-schema.sql), the
>> user information entered into the database requires a password. I'm
>> wondering whether this means that the LDAP user credentials need to be
>> duplicated and entered into the database? The guacamole manual however
>> suggests that once a user is successfully authenticated using the
>> credentials stored in LDAP, the guacamole database will trust this user and
>> will use the information present in the database for this user (
>> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>>
>
> Yes, this is correct.
>
>> "Data can be manually associated with LDAP users by creating
>> corresponding user accounts within the database which each have the same
>> usernames as valid LDAP users. As long as the username is identical, a
>> successful login attempt against LDAP will be trusted by the database
>> authentication, and that user's associated data will be visible."
>>
>> Actually, I'd like to prevent storing password information in the
>> database and only use the LDAP passwords for authentication. Is this
>> supposed to work? May I just adjust the database schema and leave the
>> password field empty?
>>
> The password for the user from LDAP is not copied to or stored in the
> database. The database does require a user password to be set; however, if
> you leave this blank when creating users in the admin interface one will be
> randomly generated. Similarly, if you are importing users directly into
> the database you could generate random values for this field and the LDAP
> authentication will still work, and it will *not* update/store the LDAP
> password in the DB.
>
>
>> BTW: Thanks for providing this great product. I've used it to host
>> workshops for up to 50 people, providing each of them access to a graphical
>> desktop. It's working great. :-)
>>
>>
> Glad you like it and it is working out for you - I always love hearing
> real-life success stories!
>
> -Nick
>
Re: LDAP+database - Credential duplication?
Posted by Nick Couchman <vn...@apache.org>.
On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
f.wolfheimer@googlemail.com> wrote:
> I'm trying to set up guacamole with LDAP authentication and would like to
> use postgresql as storage for the connection parameters. Looking at the
> provided database schema files for postgresql (001-create-schema.sql), the
> user information entered into the database requires a password. I'm
> wondering whether this means that the LDAP user credentials need to be
> duplicated and entered into the database? The guacamole manual however
> suggests that once a user is successfully authenticated using the
> credentials stored in LDAP, the guacamole database will trust this user and
> will use the information present in the database for this user (
> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>
Yes, this is correct.
> "Data can be manually associated with LDAP users by creating corresponding
> user accounts within the database which each have the same usernames as
> valid LDAP users. As long as the username is identical, a successful login
> attempt against LDAP will be trusted by the database authentication, and
> that user's associated data will be visible."
>
> Actually, I'd like to prevent storing password information in the database
> and only use the LDAP passwords for authentication. Is this supposed to
> work? May I just adjust the database schema and leave the password field
> empty?
>
The password for the user from LDAP is not copied to or stored in the
database. The database does require a user password to be set; however, if
you leave this blank when creating users in the admin interface one will be
randomly generated. Similarly, if you are importing users directly into
the database you could generate random values for this field and the LDAP
authentication will still work, and it will *not* update/store the LDAP
password in the DB.
> BTW: Thanks for providing this great product. I've used it to host
> workshops for up to 50 people, providing each of them access to a graphical
> desktop. It's working great. :-)
>
>
Glad you like it and it is working out for you - I always love hearing
real-life success stories!
-Nick