Filter User with LDAP Group

[Thiago Cruz <th...@gmail.com>]

Hello,

I've implemented Gucamole with MySQL and Active Directory (no schema
changed). Everything is working but I'd like to allow users to login if
they are mapped into some LDAP group. I've tried using binding attributes
with no sucess. Anyone know if is that possible?

Regards,

Re: Filter User with LDAP Group

[Mike Jumper <mi...@guac-dev.org>]

Hi Thiago,

You can't currently limit login based purely on LDAP group membership, but
there are recent WIP changes that would allow you to limit access to only
those users that also exist in the database (MySQL in your case):

https://issues.apache.org/jira/browse/GUACAMOLE-70

The code thus far is on a separate branch called "restrict-database-login":

https://github.com/mike-jumper/incubator-guacamole-client/tree/restrict-database-login

I'm not going to open a PR for that until we have 0.9.10-incubating behind
us, but if you want to give it a try, please do. With a guacamole.war and
MySQL auth .jar built from the above, you would specify the following in
your guacamole.properties:

mysql-user-required: true

Attempts to login via any other mechanism (including LDAP) will then be
denied unless that user has been associated with data in MySQL already.

Thanks,

- Mike


On Wed, Aug 17, 2016 at 5:34 PM, Thiago Cruz <th...@gmail.com> wrote:

> Hello,
>
> I've implemented Gucamole with MySQL and Active Directory (no schema
> changed). Everything is working but I'd like to allow users to login if
> they are mapped into some LDAP group. I've tried using binding attributes
> with no sucess. Anyone know if is that possible?
>
> Regards,
>