Access user guacamole by groups Active Directory

[Luciano Oliveira <ol...@outlook.com>]

Hello,

How do you allow access to guacamole?

I configured the integration with Active Directory by groups, in this point everything is fine.

My issue is that every time I need to release a new user, I put him in one of these groups, and in order for him to be released in guacamole I have to restart the servlet, knocking everybody out.

Is there a sync tool?

[ ]'s

Re: Access user guacamole by groups Active Directory

[Kevin Cameron <ke...@gmail.com>]

Luciano,
  I have the same issue - Guacamole as a whole is working great but I find
the LDAP interaction with MS AD very flakey.  On a new instance everything
looks great, I can log in with AD users but the list of users available in
the AD groups does not import and the AD users that connect and
authenticate when I view them in the user menu are not flagged as LDAP
users.  After farting around and restarting things all of a sudden things
will import with no changes to the config.  Similar to yourself even once
the import happens new users and groups will not populate on their own.  I
have easily spent 2 to 3 times as much energy on this aspect of the
deployment vs all the rest.

KC

On Tue, Jul 12, 2022 at 3:41 PM David Haukeness <da...@hauken.us> wrote:

> AD group membership should be passed along to guacamole when the user logs
> in.
>
> have you configured the group base DN options?
>
> Are you using database backend or LDAP only with a modified schema?
>
> David
>
> ------ Original Message ------
> From "Luciano Oliveira" <ol...@outlook.com>
> To "user@guacamole.apache.org" <us...@guacamole.apache.org>
> Date 7/12/2022 1:36:07 PM
> Subject Access user guacamole by groups Active Directory
>
> Hello,
>
> How do you allow access to guacamole?
>
> I configured the integration with Active Directory by groups, in this
> point everything is fine.
>
> My issue is that every time I need to release a new user, I put him in one
> of these groups, and in order for him to be released in guacamole I have to
> restart the servlet, knocking everybody out.
>
> Is there a sync tool?
>
> *[ ]'s*
>
>

Re: Access user guacamole by groups Active Directory

[David Haukeness <da...@hauken.us>]

AD group membership should be passed along to guacamole when the user 
logs in.

have you configured the group base DN options?

Are you using database backend or LDAP only with a modified schema?

David

------ Original Message ------
From "Luciano Oliveira" <ol...@outlook.com>
To "user@guacamole.apache.org" <us...@guacamole.apache.org>
Date 7/12/2022 1:36:07 PM
Subject Access user guacamole by groups Active Directory

>Hello,
>
>How do you allow access to guacamole?
>
>I configured the integration with Active Directory by groups, in this 
>point everything is fine.
>
>My issue is that every time I need to release a new user, I put him in 
>one of these groups, and in order for him to be released in guacamole I 
>have to restart the servlet, knocking everybody out.
>
>Is there a sync tool?
>
>[ ]'s

Re: Access user guacamole by groups Active Directory

[Michael Jumper <mj...@apache.org>]

On Tue, Jul 12, 2022, 12:36 Luciano Oliveira <ol...@outlook.com> wrote:

> Hello,
>
> How do you allow access to guacamole?
>
> I configured the integration with Active Directory by groups, in this
> point everything is fine.
>
> My issue is that every time I need to release a new user, I put him in one
> of these groups, and in order for him to be released in guacamole I have to
> restart the servlet, knocking everybody out.
>
> Is there a sync tool?
>

Users/groups from LDAP are not imported in Guacamole; they are queried
on-demand when a user logs in. Unless you are making changes to
guacamole.properties, there is no need to restart anything, and restarting
will have no effect except to kick out established sessions.

If you make a change to a user's group memberships within LDAP, that change
will affect the user the next time they log into Guacamole. It will not
affect any of their existing Guacamole sessions - they would need to log
out and back in.

- Mike