You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Carter Sema <CS...@acschools.org> on 2017/10/17 18:14:57 UTC
Guacamole ldap-group-base-dn
I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.
Anyone have suggestions or solutions that they have implemented?
Thanks!
Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]
Re: Guacamole ldap-group-base-dn
Posted by Erik Berndt <er...@superiorpaving.net>.
Whoops, guess I missed that part in the op. Nevermind!
On Tuesday, October 17, 2017, Nick Couchman <vn...@apache.org> wrote:
> On Tue, Oct 17, 2017 at 2:37 PM, Erik Berndt <
erikberndt@superiorpaving.net> wrote:
>>
>> Carter,
>> This should be possible without any schema change. We use an AD Security
Group to restrict which users are permitted to access the RD Server
(regardless of the protocol). Within Guacamole.properties you can use the
ldap-user-search filter to restrict which users are able to login through
Guacamole.
>> For example, we use the Root OU as the ldap-user-base-dn (which afaik
has to be the root OU). Than have the following lda-user-search-filter in
place:
>> ldap-user-search-filter:
(memberOf=<CN=ADSECURITYGROUP>,ou=<GROUP>,OU=<ORGAZATIONALUNIT>,DC=<DOMAIN>,DC=<DOMAINSUFFIX>)
>
> This does, indeed, allow you to restrict who can log into Guacamole, but
does not let you assign individual connections to certain users or groups
of users.
> -Nick
>
--
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
Re: Guacamole ldap-group-base-dn
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Oct 17, 2017 at 2:37 PM, Erik Berndt <er...@superiorpaving.net>
wrote:
> Carter,
>
> This should be possible without any schema change. We use an AD Security
> Group to restrict which users are permitted to access the RD Server
> (regardless of the protocol). Within Guacamole.properties you can use the
> ldap-user-search filter to restrict which users are able to login through
> Guacamole.
>
> For example, we use the Root OU as the ldap-user-base-dn (which afaik has
> to be the root OU). Than have the following lda-user-search-filter in place:
>
> ldap-user-search-filter: (memberOf=<CN=ADSECURITYGROUP>
> ,ou=<GROUP>,OU=<ORGAZATIONALUNIT>,DC=<DOMAIN>,DC=<DOMAINSUFFIX>)
>
>
This does, indeed, allow you to restrict who can log into Guacamole, but
does not let you assign individual connections to certain users or groups
of users.
-Nick
Re: Guacamole ldap-group-base-dn
Posted by Erik Berndt <er...@superiorpaving.net>.
Carter,
This should be possible without any schema change. We use an AD Security
Group to restrict which users are permitted to access the RD Server
(regardless of the protocol). Within Guacamole.properties you can use the
ldap-user-search filter to restrict which users are able to login through
Guacamole.
For example, we use the Root OU as the ldap-user-base-dn (which afaik has
to be the root OU). Than have the following lda-user-search-filter in place:
ldap-user-search-filter:
(memberOf=<CN=ADSECURITYGROUP>,ou=<GROUP>,OU=<ORGAZATIONALUNIT>,DC=<DOMAIN>,DC=<DOMAINSUFFIX>)
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <CS...@acschools.org> wrote:
> I read the following article https://issues.apache.org/
> jira/browse/GUACAMOLE-12 when I was looking for how to assign connections
> to LDAP users. From the article it sounds like I can use AD Security
> Groups? Is this possible without updating my Schema? Updating my Schema is
> off the table for options. So im looking for the 2nd best without needing
> to import a ton of users into the guac sql database.
>
>
>
> Anyone have suggestions or solutions that they have implemented?
>
>
>
> Thanks!
>
>
>
> Carter Sema
>
> Network Support Specialist
>
> CSema@acschools.org
>
> [image: CertBadge_Administrator_web]
>
>
>
Re: Guacamole ldap-group-base-dn
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Oct 17, 2017 at 3:04 PM, Carter Sema <CS...@acschools.org> wrote:
> Is it possible to use already existing AD fields that LDAP reads? Or does
> it only read the Guacamole AD Fields from its schema modification? Can
> guacamole read any AD Group from the App at all? Can’t the Security group
> that controls login hold some kind of connection data?
>
> (using ad security groups to control login is amazing, love that feature)
>
>
>
> I had just tested doing it the way you suggested, and it works, just means
> I have to load users individually or script an import. Has anyone used a
> GUI SQL tool such as Oracle SQL Developer or RazorSQL to pull data from the
> guacamole SQL tables and modify?
>
The way the module is currently implemented, if you want to store the
actual connection information in LDAP, you need to modify the schema.
There is no way (currently) to configure what LDAP attributes the extension
looks at to get things like connection name, parameters, etc.
The LDAP module can read users and groups without any schema modification;
however, unless you're storing the connections themselves in LDAP, there's
no way to map those LDAP groups, in particular, to connections. Guacamole
doesn't support groups internally at the moment, so the only way the LDAP
groups work is because it's using LDAP searches to limit the results it
gets back. So, for this to work, everything has to be in LDAP.
There's a JIRA issue out there to add group support to Guacamole, so
hopefully this will change in the future, and maybe there will be some
mapping for groups between the LDAP module and the JDBC module, depending
on how that's implemented, but that remains to be seen.
You should definitely be able to use scripts or a graphical tool to
manipulate the Guacamole DB directly, or write an external script/tool to
automate that.
-Nick
RE: Guacamole ldap-group-base-dn
Posted by Carter Sema <CS...@acschools.org>.
Is it possible to use already existing AD fields that LDAP reads? Or does it only read the Guacamole AD Fields from its schema modification? Can guacamole read any AD Group from the App at all? Can’t the Security group that controls login hold some kind of connection data?
(using ad security groups to control login is amazing, love that feature)
I had just tested doing it the way you suggested, and it works, just means I have to load users individually or script an import. Has anyone used a GUI SQL tool such as Oracle SQL Developer or RazorSQL to pull data from the guacamole SQL tables and modify?
Thanks!
Carter Sema
Network Support Specialist
CSema@acschools.org<ma...@acschools.org>
[CertBadge_Administrator_web]
From: Nick Couchman [mailto:vnick@apache.org]
Sent: Tuesday, October 17, 2017 2:27 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Guacamole ldap-group-base-dn
On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <CS...@acschools.org>> wrote:
I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.
Using that method requires that you store the connection information inside LDAP, which requires schema modifications.
If you stack authentication modules, like JDBC and LDAP, you can have users log in with LDAP, make sure those same users are created in JDBC, and then assign the permissions to the user accounts objects in the JDBC module. As long as the LDAP and JDBC usernames match, this will map through.
-Nick
Re: Guacamole ldap-group-base-dn
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <CS...@acschools.org> wrote:
> I read the following article https://issues.apache.org/
> jira/browse/GUACAMOLE-12 when I was looking for how to assign connections
> to LDAP users. From the article it sounds like I can use AD Security
> Groups? Is this possible without updating my Schema? Updating my Schema is
> off the table for options. So im looking for the 2nd best without needing
> to import a ton of users into the guac sql database.
>
>
>
Using that method requires that you store the connection information inside
LDAP, which requires schema modifications.
If you stack authentication modules, like JDBC and LDAP, you can have users
log in with LDAP, make sure those same users are created in JDBC, and then
assign the permissions to the user accounts objects in the JDBC module. As
long as the LDAP and JDBC usernames match, this will map through.
-Nick
Re: Guacamole ldap-group-base-dn
Posted by Erik Berndt <er...@superiorpaving.net>.
I should also mention we use MySQL to store user attributes. Not sure of
your specific setup.
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net
Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net
On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <CS...@acschools.org> wrote:
> I read the following article https://issues.apache.org/
> jira/browse/GUACAMOLE-12 when I was looking for how to assign connections
> to LDAP users. From the article it sounds like I can use AD Security
> Groups? Is this possible without updating my Schema? Updating my Schema is
> off the table for options. So im looking for the 2nd best without needing
> to import a ton of users into the guac sql database.
>
>
>
> Anyone have suggestions or solutions that they have implemented?
>
>
>
> Thanks!
>
>
>
> Carter Sema
>
> Network Support Specialist
>
> CSema@acschools.org
>
> [image: CertBadge_Administrator_web]
>
>
>