LDAP groups

[Pablo Uribe Bastero <pa...@arin-innovation.com>]

Hi,

I have noticed a problem while syncing our LDAP and I don't know if it is a misconfiguration or a Bug. I have been able to synchronize the user and groups from the Microsoft Active Directory, but the users that belong to a group it is not shown on Guacamole. Do you know what could it be?

Thanks,
Pablo
Pablo Uribe
Systems Engineer

Oficina +34 946 404 714
Torre BEC - Ronda de Azkue, 1, 48902 - Barakaldo
[firma]


Este mensaje puede tener información confidencial, clasificada o protegida. Si usted no es el destinatario, o un empleado o el responsable de entregar este mensaje
al destinatario indicado, queda notificado de que cualquier divulgación, distribución o copia de esta comunicación está estrictamente prohibido. Si usted ha recibido
esta  comunicación por error, le rogamos nos lo notifique inmediatamente respondiendo al mensaje y que proceda al borrado del mismo.
[pie_correo_ecologico_icono]¿Necesita imprimir este mensaje? Protejamos el medio ambiente

Re: LDAP groups

[Mike Jumper <mj...@apache.org>]

On Tue, Jan 21, 2020 at 12:21 AM Pablo Uribe Bastero <
pablo.uribe@arin-innovation.com> wrote:

> Hi Mike,
>
>
>
> I am sad ☹
>
>
Don't be. There are plenty of reasons to be happy.


> That feature would be awesome for our installation. Would it be posible to
> do it changing the LDAP or the database extensions? Is this a feature that
> might be released in a far future?
>

I'm not sure whether exposing read-only group memberships within the
management interface makes sense, but if it's something that you believe is
generally needed and you can describe the reasoning behind that need,
please feel free to open a JIRA issue requesting the feature:

https://issues.apache.org/jira/browse/GUACAMOLE

- Mike

RE: LDAP groups

[Pablo Uribe Bastero <pa...@arin-innovation.com>]

Hi Mike,

I am sad ☹

That feature would be awesome for our installation. Would it be posible to do it changing the LDAP or the database extensions? Is this a feature that might be released in a far future?

Thanks for your help,
Pablo

De: Mike Jumper <mj...@apache.org>
Enviado el: sábado, 18 de enero de 2020 5:14
Para: user@guacamole.apache.org
Asunto: Re: LDAP groups

On Fri, Jan 17, 2020 at 3:05 AM Pablo Uribe Bastero <pa...@arin-innovation.com>> wrote:
Hi,

I have noticed a problem while syncing our LDAP and I don’t know if it is a misconfiguration or a Bug. I have been able to synchronize the user and groups from the Microsoft Active Directory, but the users that belong to a group it is not shown on Guacamole. Do you know what could it be?

It is neither misconfiguration nor a bug - the LDAP support does not expose group memberships in the same way that the database support exposes group memberships. A user's effective memberships are queried upon login for the sake of determining permissions but are otherwise not exposed.

In general, the details of various objects within the Guacamole admin interface are only displayed when those objects can be modified, which is not the case for Guacamole's read-only LDAP support.

- Mike

Re: LDAP groups

[Mike Jumper <mj...@apache.org>]

On Fri, Jan 17, 2020 at 3:05 AM Pablo Uribe Bastero <
pablo.uribe@arin-innovation.com> wrote:

> Hi,
>
>
>
> I have noticed a problem while syncing our LDAP and I don’t know if it is
> a misconfiguration or a Bug. I have been able to synchronize the user and
> groups from the Microsoft Active Directory, but the users that belong to a
> group it is not shown on Guacamole. Do you know what could it be?
>

It is neither misconfiguration nor a bug - the LDAP support does not expose
group memberships in the same way that the database support exposes group
memberships. A user's effective memberships are queried upon login for the
sake of determining permissions but are otherwise not exposed.

In general, the details of various objects within the Guacamole admin
interface are only displayed when those objects can be modified, which is
not the case for Guacamole's read-only LDAP support.

- Mike