You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Marko Cupać <ma...@mimar.rs> on 2018/07/18 12:52:48 UTC
LDAP/AD groups by means of memberOf
Hi,
I would like to implement Guacamole and integrate it with Active
Directory, but I'm not comfortable with the idea of schema modification.
From my point of view, better approach would be to be able to create AD
group for every destination server, so that every member of mentioned
group gets access to corresponding server through guacamole. Hostname
could be read for example from group's description field, protocol from
extension attribute.
Any chance Guacamole's LDAP integration will also support this kind of
setups in the future?
Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
RE: LDAP/AD groups by means of memberOf
Posted by "Duarte, Alexander A" <al...@udel.edu>.
Marko,
In my opinion the schema modification was made extremely easy by the included scripts.
I had no issues with my implementation. I used 389-DS for my LDAP solution.
We have done what you mentioned below which is having a group for each independent server and we give people access simply by adding them to the group it works wonders! I cannot speak for the guac developers, however I doubt that what you would like below will be implemented as there are a lot of other attributes that you can set for each connection.
Regards,
Alex
-----Original Message-----
From: Marko Cupać <ma...@mimar.rs>
Sent: Wednesday, July 18, 2018 8:53 AM
To: user@guacamole.apache.org
Subject: LDAP/AD groups by means of memberOf
Hi,
I would like to implement Guacamole and integrate it with Active Directory, but I'm not comfortable with the idea of schema modification.
From my point of view, better approach would be to be able to create AD group for every destination server, so that every member of mentioned group gets access to corresponding server through guacamole. Hostname could be read for example from group's description field, protocol from extension attribute.
Any chance Guacamole's LDAP integration will also support this kind of setups in the future?
Thank you in advance,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
Re: LDAP/AD groups by means of memberOf
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Jul 18, 2018 at 8:52 AM Marko Cupać <ma...@mimar.rs> wrote:
> Hi,
>
> I would like to implement Guacamole and integrate it with Active
> Directory, but I'm not comfortable with the idea of schema modification.
>
> From my point of view, better approach would be to be able to create AD
> group for every destination server, so that every member of mentioned
> group gets access to corresponding server through guacamole. Hostname
> could be read for example from group's description field, protocol from
> extension attribute.
>
> Any chance Guacamole's LDAP integration will also support this kind of
> setups in the future?
>
>
Guacamole definitely does not support this today. You're welcome to look
through JIRA and see if someone has already requested this feature -
basically, what you're asking for, is the ability to customize what objects
the Guacamole LDAP extension looks at to determine connections. If a JIRA
issue doesn't exist for it, you can create one:
https://issues.apache.org/jira/projects/GUACAMOLE
The schema modifications are pretty minimal - you'll see this if you look
at the actual schema file, it's basically a single objectClass that gets
added, with no modifications to any of the existing objects, and then some
attributes for that objectClass type.
-Nick