You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by JoelB <na...@joelbest.ca> on 2019/01/18 16:58:30 UTC
Restricting access to Connections defined in MySQL using LDAP
groups?
Hi all, I've managed to get Guacamole 1.0.0 working with my connections
defined in MySQL and groups defined in LDAP. However, I cannot seem to grant
access to connections based on LDAP group membership. If I assign a
connection to a group, it does not show up for users of that group when they
login unless I manually add them to the group within MySQL.
Is it possible to limit access to MySQL-defined connections using LDAP group
membership at this time? We have 2000+ users so granting each of them access
or group membership individually is not possible.
Thanks for any advice!
-Joel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
Sorry, the raw block seems to get stripped from nabble. Here's my
guacamole.properties:
# guacamole.properties - generated Thu Jan 17 14:11:39 UTC 2019
guacd-hostname: 172.17.0.3
guacd-port: 4822
mysql-hostname: 172.17.0.4
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: XXXXXXXX
ldap-hostname: example.com
ldap-user-base-dn: dc=example,dc=com
ldap-username-attribute: sAMAccountName
ldap-group-base-dn: OU=Groups,dc=example,dc=com
ldap-user-search-filter:
(&(memberOf=CN=GUACAMOLE-USERS,OU=Groups,dc=example,dc=com)(sAMAccountName=*))
ldap-follow-referrals: false
ldap-search-bind-dn: CN=SOE Guacamole LDAP Bind,OU=IT Service
Accounts,dc=example,dc=com
ldap-search-bind-password: XXXXXXXX
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP groups?
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Jan 22, 2019 at 11:00 AM JoelB <na...@joelbest.ca> wrote:
> ek1m92 wrote
> > Correct me
> > if I'm wrong here Joel, but what I expected to work based on the
> > documentation was the following:
> >
> > 1. Create user group in MySQL with the name of a corresponding user group
> > in
> > the LDAP directory
> > 2. Create connection in MySQL
> > 3. Grant connection permission to the user group created in 1.
> > 4. LDAP users that are part of the LDAP group (in the directory) are able
> > to
> > log in with their LDAP credentials and access that connection
>
> That's correct, this is the scenario I've been working on and cannot get to
> work. I don't believe that group membership restrictions for
> LDAP-authenticated users is working correctly. From the linked JIRA issue,
> Mike says:
>
>
> > If the user is authenticated by LDAP, and you wish permissions to be
> > granted by a group defined in MySQL, what matters is that the LDAP user
> is
> > a member of an LDAP group that matches the MySQL group, not that the LDAP
> > user matches the MySQL user.
>
> From my experience so far, the only way to get group membership
> restrictions
> to work for an LDAP-authenticated user is to have them be both a member of
> the LDAP group *and* a member of a MySQL group with the same name. Not
> being
> a member of either leads to them not being able to see the connection or
> not
> being able to connect to it.
>
Thanks for the clarification. I suspect that there are some interrelated
issues here that need to be collectively addressed, either bugs for things
not working properly, or nuances of how the implementation is done that
could be changed or at least clarified.
-Nick
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
ek1m92 wrote
> Correct me
> if I'm wrong here Joel, but what I expected to work based on the
> documentation was the following:
>
> 1. Create user group in MySQL with the name of a corresponding user group
> in
> the LDAP directory
> 2. Create connection in MySQL
> 3. Grant connection permission to the user group created in 1.
> 4. LDAP users that are part of the LDAP group (in the directory) are able
> to
> log in with their LDAP credentials and access that connection
That's correct, this is the scenario I've been working on and cannot get to
work. I don't believe that group membership restrictions for
LDAP-authenticated users is working correctly. From the linked JIRA issue,
Mike says:
> If the user is authenticated by LDAP, and you wish permissions to be
> granted by a group defined in MySQL, what matters is that the LDAP user is
> a member of an LDAP group that matches the MySQL group, not that the LDAP
> user matches the MySQL user.
From my experience so far, the only way to get group membership restrictions
to work for an LDAP-authenticated user is to have them be both a member of
the LDAP group *and* a member of a MySQL group with the same name. Not being
a member of either leads to them not being able to see the connection or not
being able to connect to it.
Thanks,
-Joel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by ek1m92 <ek...@posteo.de>.
vnick wrote
> I think it's probably already covered under this issue:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-696
How so? You explicitly confirmed earlier that it should be possible to limit
access to MySQL-defined connections using LDAP group membership. If that's
the case, how is it supposed to be accomplished?
If I understand correctly, the issue refers to a scenario where someone is
trying to grant connection access to an LDAP authenticated user by means of
a user group that is only present in the MySQL database with no affiliation
to an LDAP group. That's not what JoelB and me are trying to do. Correct me
if I'm wrong here Joel, but what I expected to work based on the
documentation was the following:
1. Create user group in MySQL with the name of a corresponding user group in
the LDAP directory
2. Create connection in MySQL
3. Grant connection permission to the user group created in 1.
4. LDAP users that are part of the LDAP group (in the directory) are able to
log in with their LDAP credentials and access that connection
This does not work for me. As I have pointed out, I have tried out the
scenarios described here
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ldap-groups-in-1-0-0-RC1-tp4403p4496.html>
in my efforts to pinpoint the problem or rather just understand whether I
should expect this to work in the first place.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP groups?
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Jan 22, 2019 at 8:24 AM ek1m92 <ek...@posteo.de> wrote:
> JoelB wrote
> > I'm now working on scripting an AD-to-MySQL synchronization tool.
>
> We've been using a custom tool for this internally for the last couple of
> months to be able to manage connection permissions on a group level. We
> were
> hoping to be able to ditch that in favor of official LDAP group support but
> it looks like I'll be updating our tool to support the new database
> structure instead...
> I'll open an issue for this. At first I wasn't sure whether this was a
> problem with our specific setup so I took to the mailing list but it looks
> like we're not alone.
>
>
I think it's probably already covered under this issue:
https://issues.apache.org/jira/browse/GUACAMOLE-696
-Nick
Re: Restricting access to Connections defined in MySQL using LDAP groups?
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Jan 24, 2019 at 10:21 AM ek1m92 <ek...@posteo.de> wrote:
> JoelB wrote
> > Thanks, let me know when you've filed an issue and I'll add my experience
> > if
> > there is any difference.
>
> As this seems to be something that has to be investigated further, I have
> created an issue here <
> https://issues.apache.org/jira/browse/GUACAMOLE-715>
> . Feel free to add to it.
>
>
>
Thanks. I've associated it with the other JIRA issue, because I do believe
they're related, and I agree that we need to look at how it's functioning,
make sure it is as intended, and either fix or clarify expectations (or a
combination of both).
-Nick
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by ek1m92 <ek...@posteo.de>.
JoelB wrote
> Thanks, let me know when you've filed an issue and I'll add my experience
> if
> there is any difference.
As this seems to be something that has to be investigated further, I have
created an issue here <https://issues.apache.org/jira/browse/GUACAMOLE-715>
. Feel free to add to it.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
Thanks, let me know when you've filed an issue and I'll add my experience if
there is any difference.
Interestingly in developing my tool I've found that if LDAP group support is
configured, users have to be a member of BOTH the MySQL group and the LDAP
group in order to see the connections. It's not sufficient for them to only
be a member of a MySQL group that has permissions, even if that group has no
LDAP equivalent. Apparently Guacamole is in fact checking for LDAP group
membership, but only denies access based on non-membership and doesn't grant
access based on actually being a member.
Thanks for your help,
-Joel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by ek1m92 <ek...@posteo.de>.
JoelB wrote
> I'm now working on scripting an AD-to-MySQL synchronization tool.
We've been using a custom tool for this internally for the last couple of
months to be able to manage connection permissions on a group level. We were
hoping to be able to ditch that in favor of official LDAP group support but
it looks like I'll be updating our tool to support the new database
structure instead...
I'll open an issue for this. At first I wasn't sure whether this was a
problem with our specific setup so I took to the mailing list but it looks
like we're not alone.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
ek1m92 wrote
> Are you sure that establishing a connection actually works after creating
> a
> JDBC user? I'm running into LDAP group related issues as well and for me,
> creating a JDBC user makes the connections show up for that user, but
> trying
> to connect leads to an error. I have already described the scenarios I
> have
> tried so far
> <http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ldap-groups-in-1-0-0-RC1-tp4403p4496.html>
You're right -- the connections fail with a permission error if they aren't
a member of the MySQL group. I'm now working on scripting an AD-to-MySQL
synchronization tool. I've been trying to get Guacamole working for months
and at this point I'm just hoping to get something to my users.
-Joel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by ek1m92 <ek...@posteo.de>.
JoelB wrote
> vnick wrote
> I've created a matching group in the JDBC extension but it still doesn't
> work unless there is a matching JDBC user.
Are you sure that establishing a connection actually works after creating a
JDBC user? I'm running into LDAP group related issues as well and for me,
creating a JDBC user makes the connections show up for that user, but trying
to connect leads to an error. I have already described the scenarios I have
tried so far
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ldap-groups-in-1-0-0-RC1-tp4403p4496.html>
.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
vnick wrote
> I believe the other way around this would be to create a matching group in
> the JDBC extension and assign the permissions that way. In any case it
> sounds like the same issue mentioned in the previously-referenced JIRA
> issue, and it's probably something we'll tweak in a future version.
I've created a matching group in the JDBC extension but it still doesn't
work unless there is a matching JDBC user. We have 2000+ possible users so
creating each of them an account in the console manually isn't feasible.
Is there any way to either have Guacamole automatically create a JDBC user
account upon successful login? Alternatively, what would be the best way to
script the creation of 2000 users?
Thanks again,
-Joel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP groups?
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Jan 21, 2019 at 1:09 PM JoelB <na...@joelbest.ca> wrote:
>
> So, it appears that Guacamole only checks the LDAP group membership if the
> authenticated user has a JDBC account defined. Is there any way around this
> so that all LDAP users have their group membership checked?
>
I believe the other way around this would be to create a matching group in
the JDBC extension and assign the permissions that way. In any case it
sounds like the same issue mentioned in the previously-referenced JIRA
issue, and it's probably something we'll tweak in a future version.
-Nick
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
JoelB wrote
> If I then create the group in the JDBC extension and add the LDAP user
> manually to that group, the connection will appear for that user. I don't
> feel this step should be necessary -- it should query the LDAP group
> membership on login and determine that the authenticated user is a member
> of
> the LDAP group and show all connections assigned to that group.
After further testing, it appears the user just needs to have an account
created under the JDBC extension for the LDAP group checking to work. If an
LDAP user authenticates for the first time, they will not see the connection
even if they are a member of the correct group. If I open their account in
the "Users" section of the console, edit any attribute (e.g. Full Name) and
save, the next time they login they will see the connections their LDAP
group memberships entitle them to.
So, it appears that Guacamole only checks the LDAP group membership if the
authenticated user has a JDBC account defined. Is there any way around this
so that all LDAP users have their group membership checked?
Thanks again,
-Joel
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by JoelB <na...@joelbest.ca>.
vnick wrote
> So, just to clarify, you have a LDAPUser, who is part of LDAPGroup inside
> your LDAP Directory, and you create LDAPGroup in the JDBC extension and
> assign permissions to LDAPGroup to access connections?
I don't need to create the group in the JDBC extension. I can see all my
LDAP groups in the "Groups" section of the UI and can open up an LDAP group
and grant it permissions to use a connection. However if I only do these
steps, the connection does not appear for authenticated LDAP users who are
members of the target LDAP group.
If I then create the group in the JDBC extension and add the LDAP user
manually to that group, the connection will appear for that user. I don't
feel this step should be necessary -- it should query the LDAP group
membership on login and determine that the authenticated user is a member of
the LDAP group and show all connections assigned to that group.
vnick wrote
> In your guacamole.properties file do you have ldap-group-base-dn
> specified?
> You'll need this property enabled in order for the LDAP extension to
> actually
> enumerate groups within your LDAP directory - otherwise it will not look
> for user groups at all.
Yes, this is configured and I can enumerate all LDAP groups in the admin
console when logged in with an admin user that is also defined in LDAP.
vnick wrote
> Yes, this should work. There is a JIRA issue out there that deals with a
> slightly nuanced version of this scenario, so I want to make sure I
> understand what you're trying to do that isn't apprearing to work. Here's
> the JIRA issue:
>
> https://issues.apache.org/jira/browse/GUACAMOLE-696
>
> In that issue, the matching user account in JDBC is being assigned to a
> JDBC group, and the permissions are not being passed through because the
> user is authenticated with LDAP and not with JDBC.
I don't think it is the same issue. The user in my case is authenticated
through LDAP and is assigned to the group in LDAP. From reading that issue,
it sounds like the opposite: they want MySQL group membership to allow
access to connections for LDAP-authenticated users. This is currently the
only way I can get it to work and would prefer to have all-LDAP permissions
but have the connections defined in MySQL so I can use concurrency limits.
Thanks for your help!
-Joel
P.S. here's my guacamole.properties just in case it helps:
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP
groups?
Posted by ghelmut <he...@web.de>.
Hi,
sadly same to me. LDAP Group names that match MySQL Group names, doesn't do
anything. Here is my configuration...
MySQL
> local user: guacadmin (no other user)
> connection: testconnection
> local group: Guacamole (testconnection added)
LDAP (Samba AD)
> ldap user: CN=Alice Wonderland,CN=Users,DC=example,DC=com
> ldap group: CN=Guacamole,CN=Users,DC=example,DC=com
Alice was added to Guacamole Group:
> Command: samba-tool group listmembers Guacamole
> Output: alice
This means:
> CN=Guacamole,CN=Users,DC=example,DC=com
> -> member: CN=Alice Wonderland,CN=Users,DC=example,DC=com
This also means:
> CN=Alice Wonderland,CN=Users,DC=example,DC=com
> -> memberOf: CN=Guacamole,CN=Users,DC=example,DC=com
Part of relevant guacamole.properties:
> ldap-user-base-dn: CN=Users,DC=example,DC=com
> ldap-user-search-filter: (objectclass=user)
> ldap-username-attribute: sAMAccountName,mail,cn
> ldap-group-base-dn: CN=Users,DC=example,DC=com
Alice can login, doesn't matter if I use alice, alice@example.com or "Alice
Wonderland" (w/o quotes). Login is fine. But Alice doesn't see
"testconnection". Now I wonder what I have done wrong? Maybe the manual
should explain a bit more what Guacamole really expects.
Thank you,
Helmut
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Restricting access to Connections defined in MySQL using LDAP groups?
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Jan 18, 2019 at 11:58 AM JoelB <na...@joelbest.ca> wrote:
> Hi all, I've managed to get Guacamole 1.0.0 working with my connections
> defined in MySQL and groups defined in LDAP. However, I cannot seem to
> grant
> access to connections based on LDAP group membership. If I assign a
> connection to a group, it does not show up for users of that group when
> they
> login unless I manually add them to the group within MySQL.
>
So, just to clarify, you have a LDAPUser, who is part of LDAPGroup inside
your LDAP Directory, and you create LDAPGroup in the JDBC extension and
assign permissions to LDAPGroup to access connections? In your
guacamole.properties file do you have ldap-group-base-dn specified? You'll
need this property enabled in order for the LDAP extension to actually
enumerate groups within your LDAP directory - otherwise it will not look
for user groups at all.
>
> Is it possible to limit access to MySQL-defined connections using LDAP
> group
> membership at this time? We have 2000+ users so granting each of them
> access
> or group membership individually is not possible.
>
Yes, this should work. There is a JIRA issue out there that deals with a
slightly nuanced version of this scenario, so I want to make sure I
understand what you're trying to do that isn't apprearing to work. Here's
the JIRA issue:
https://issues.apache.org/jira/browse/GUACAMOLE-696
In that issue, the matching user account in JDBC is being assigned to a
JDBC group, and the permissions are not being passed through because the
user is authenticated with LDAP and not with JDBC.
-Nick