LDAP and MySQL, single connection

[Bastiaan van Haastrecht <b....@gmail.com>]

Hello again,

I'm trying to find a solution for the folowing. I have my LDAP users in the
GUAC settings portal. Currently I need to go into each user and assign an
connection to the user, this is very time consuming and not automatic if a
new user should be added to the LDAP directory.

I would like to assign an connection to all existing and all new-to-come
LDAP users. Like an auto provisioning rule based on LDAP group membership
or other paramters. Is this posible?

Kind Regards,
Bastiaan van Haastrecht

RE: LDAP and MySQL, single connection

[Östh Mikael <Mi...@tillvaxtanalys.se>]

Hi

The seeAlso attribute does not seems to work. I have added an AD group to that attribute on my connection in AD. But the users belonging to that group does not get the connection when logged in to Guacamole.
Single users added to member attribute works, but not groups added to seeAlso.
I have updated guacd, guacamole.war and both ldap and mysql extensions to latest GIT-versions. I am using ADS edit to edit my connections attributes.

Best Regards
Mikael Osth

From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: den 3 augusti 2016 08:35
To: user@guacamole.incubator.apache.org
Subject: Re: LDAP and MySQL, single connection

On Tue, Aug 2, 2016 at 1:33 AM, Bastiaan van Haastrecht <b....@gmail.com>> wrote:
Hello again,

I'm trying to find a solution for the folowing. I have my LDAP users in the GUAC settings portal. Currently I need to go into each user and assign an connection to the user, this is very time consuming and not automatic if a new user should be added to the LDAP directory.

I would like to assign an connection to all existing and all new-to-come LDAP users. Like an auto provisioning rule based on LDAP group membership or other paramters. Is this posible?


With a build of Guacamole from git, yes. Support for role-based access control was added after the 0.9.9 release and prior to its acceptance into the Apache Incubator:

https://issues.apache.org/jira/browse/GUACAMOLE-12

You can add groups as members of a guacConfigGroup using the "seeAlso" attribute. Users which are members of those groups will then have access to the connections described by any associated guacConfigGroups.

- Mike

Re: LDAP and MySQL, single connection

[Bastiaan van Haastrecht <b....@gmail.com>]

I'm trying to interpret your reply in steps to configure this. If I'm
correct this requires the LDAP schema to be extended? This is what we
try to avoid in order to create an solution which requires the least
amount of adjustments to the existing infrastructure. Large company's
aren’t very fond of extending the schema.

Would this solution be possible, it doesn't require schema extension:
- A user logs in, all LDAP groups within an defined scope are scanned
to see if the user is 'member' of.
- All connections stored in MySQL are processed on (a to create
property) to see if there's a match with the 'member' value.
- When there's a match, this connection will be added to the connections list.

This would require LDAP users to be member of LDAP groups, and these
groups should be added to a new property on Connections defined in
MySQL database.

If the existing solution is without schema extension, forget my
suggestion, but can you explain it a little more in detail then?

Thanks!

Re: LDAP and MySQL, single connection

[Mike Jumper <mi...@guac-dev.org>]

On Tue, Aug 2, 2016 at 1:33 AM, Bastiaan van Haastrecht <
b.vanhaastrecht@gmail.com> wrote:

> Hello again,
>
> I'm trying to find a solution for the folowing. I have my LDAP users in
> the GUAC settings portal. Currently I need to go into each user and assign
> an connection to the user, this is very time consuming and not automatic if
> a new user should be added to the LDAP directory.
>
> I would like to assign an connection to all existing and all new-to-come
> LDAP users. Like an auto provisioning rule based on LDAP group membership
> or other paramters. Is this posible?
>
>
With a build of Guacamole from git, yes. Support for role-based access
control was added after the 0.9.9 release and prior to its acceptance into
the Apache Incubator:

https://issues.apache.org/jira/browse/GUACAMOLE-12

You can add groups as members of a guacConfigGroup using the "seeAlso"
attribute. Users which are members of those groups will then have access to
the connections described by any associated guacConfigGroups.

- Mike