RE: LDAP and MySQL

[Andy Pattrick <an...@horiba.com>]

Hi James,



I also manage my users in LDAP, mainly so that I can enforce multi-factor authentication. It seems that to assign connections to users I have to explicitly also add them to MySQL too - they don't just 'appear' in the list. I add the user of the same name with a blank password and then assign connections (I check that I can't login as that user with a blank password and I can't).



It's true that if I created a user in MySQL that wasn't also in LDAP then they'd be able to login. However, as admin I simply choose not to do that and I think you could set up other sub-admin accounts that don't have the 'create user' permission to prevent others from doing so while still allowing them to create connections for example.



The docker image works well but does have limitations on passing configuration in. Ideally a mechanism would exist where you could pass any property through docker, or maybe store your .properties file on a mapped docker volume, but I don't think it does at the moment. Others may know more than me on here though.



Cheers Andy



________________________________
From: James Wilson [jameswilson@groupmail.com]
Sent: 20 July 2017 10:49
To: user@guacamole.incubator.apache.org
Subject: LDAP and MySQL

Hi,

I currently use the Guacamole Docker container and have recently setup an LDAP server for authentication on my network which is being used by multiple services and would also like to use the MySQL integration as well as it makes the managing of users much nicer from the administration end. However I require authentication to only be granted when a user is in the LDAP server. If a user exists within the MySQL authentication but not in LDAP I do not want the user to be authenticated.

Currently it appears that the user can authenticate through either method and that doesn't achieve what I am looking for with regards to the LDAP server having the final say. Some reading through the documentation indicated that by using a parameter "mysql-user-required: true" within the guacamole.properties file, it forced users to exist in both the MySQL and LDAP repositories.

However this does not appear to work for the docker version of Guacamole as there is no mechanism currently of taking that parameter in and placing it within the guacamole.properties file as there is for the LDAP and MySQL parameters.

Has anyone else run into this issue ? Are there plans to add mysql-user-required as a parameter for the docker container ?

Any advice would be appreciated.

James



Click here<https://www.mailcontrol.com/sr/19!t2WSmVyDGX2PQPOmvUqrlA1!9RTN29X2thWukPI1zpsgK80qrYpayu5pXUPZSTbL98DokuU73vm7b4Ic+!w==> to report this email as spam.

RE: LDAP and MySQL

[Mike Jumper <mi...@guac-dev.org>]

On Jul 20, 2017 03:13, "Andy Pattrick" <an...@horiba.com> wrote:

...

The docker image works well but does have limitations on passing
configuration in. Ideally a mechanism would exist where you could pass any
property through docker, or maybe store your .properties file on a mapped
docker volume, but I don't think it does at the moment. Others may know
more than me on here though.


The mechanism you're looking for is the Docker image's "GUACAMOLE_HOME"
environment variable. By creating a base configuration, specifying it as a
volume mount when creating the container, and pointing GUACAMOLE_HOME to
the location within the container, the image's startup process will
automatically use that configuration as a template, layering its
autogenerated configuration on top of whatever you already provide.

You can use this to specify properties that are not otherwise covered by
environment variables, or to include extensions which are not part of the
image.

- Mike