You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by dynz <dy...@huntergroup.co.nz.INVALID> on 2020/06/30 23:01:39 UTC
Database default group for auto-created accounts?
Hi,
Great release by the way!
I'm using RADIUS and MySQL for authentication, with MySQL holding
connections and groups.
If I use
mysql-auto-create-accounts: true
can I define a Group in MySQL with a certain name so that the auto-created
users will automatically be defined as members of that Group? If so, what is
the that certain Group name.
Thanks,
David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Database default group for auto-created accounts?
Posted by dynz <dy...@huntergroup.co.nz.INVALID>.
Hi Nick
Apologies - typos, and no ability to edit my original post....
Just a plug for the original suggestion.
If an administrator created the default group, say it was required to be
named "auto-create", then they could define default permissions,
connections, etc. This "auto-create" Group would be available to any auto
authenticated user, irrespective of whether the authenticating extension
could provide a Group name or not (inherent to the extension, or because of
the authenticating host).
And of course if the "auto-create" Group wasn't defined then nothing would
happen for the auto-created user. Nor does this suggestion conflict
with your thinking.
Irrespective, thanks for facilitating this discussion.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Database default group for auto-created accounts?
Posted by dynz <dy...@huntergroup.co.nz.INVALID>.
Hi Nick
Just a plug for the original suggestion.
If an administrator created the default group, say it was required to be
named "auto-create", then they could define default permissions,
connections, etc. This "auto-create" Group would be available to any auto
authenticated user, irrespective of whether the authenticating extension
could provide a Group name or not (inherent to the extension of because of
the authenticating host).
And of course of the "auto-create" Group wasn't defined then nothing would
happen for the auto-created user. Nor does this suggestion doesn't conflict
with your thinking.
Irrespective, thanks for facilitating this discussion.
-David
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Database default group for auto-created accounts?
Posted by Nick Couchman <vn...@apache.org>.
On Mon, Jul 13, 2020 at 12:36 PM Mike Jumper <mj...@apache.org> wrote:
> On Tue, Jun 30, 2020, 16:46 Nick Couchman <vn...@apache.org> wrote:
>
>> On Tue, Jun 30, 2020 at 18:01 dynz <dy...@huntergroup.co.nz.invalid>
>> wrote:
>>
>>> Hi,
>>>
>>> Great release by the way!
>>>
>>> I'm using RADIUS and MySQL for authentication, with MySQL holding
>>> connections and groups.
>>> If I use
>>> mysql-auto-create-accounts: true
>>> can I define a Group in MySQL with a certain name so that the
>>> auto-created
>>> users will automatically be defined as members of that Group? If so,
>>> what is
>>> the that certain Group name.
>>>
>>
>> No, there is no way to accomplish that with the auto creation process.
>> I’ve thought in the past about some way to assign either default
>> permissions or membership to new users, or some way to grant permissions to
>> all authenticated users. However, another part of me says that those
>> methods are just work-arounds for proper group and permissions management -
>> a big part of which it’s making sure that all of the extensions support
>> some method of providing group membership.
>>
>> I’m interested to hear what others think.
>>
>
> Is there a standard way within RADIUS to define the group memberships of a
> user?
>
>
I believe the most common way to do this with RADIUS is using the
Vendor-Specific attribute and defining the group membership, there.
However, it has something of a limitation, as least from the research I've
done, in that you usually can only define a single group the user is a
member of and not a list of groups.
> If so, then perhaps the solution here is to pull that information when
> configured to do so, similar to the group support within SAML.
>
>
Yes, I think providing at least a single group membership entry out of
RADIUS is the way to go. I've looked into this off-and-on for several
months, but not settled on the best way to do this, yet.
-Nick
Re: Database default group for auto-created accounts?
Posted by Mike Jumper <mj...@apache.org>.
On Tue, Jun 30, 2020, 16:46 Nick Couchman <vn...@apache.org> wrote:
> On Tue, Jun 30, 2020 at 18:01 dynz <dy...@huntergroup.co.nz.invalid>
> wrote:
>
>> Hi,
>>
>> Great release by the way!
>>
>> I'm using RADIUS and MySQL for authentication, with MySQL holding
>> connections and groups.
>> If I use
>> mysql-auto-create-accounts: true
>> can I define a Group in MySQL with a certain name so that the auto-created
>> users will automatically be defined as members of that Group? If so, what
>> is
>> the that certain Group name.
>>
>
> No, there is no way to accomplish that with the auto creation process.
> I’ve thought in the past about some way to assign either default
> permissions or membership to new users, or some way to grant permissions to
> all authenticated users. However, another part of me says that those
> methods are just work-arounds for proper group and permissions management -
> a big part of which it’s making sure that all of the extensions support
> some method of providing group membership.
>
> I’m interested to hear what others think.
>
Is there a standard way within RADIUS to define the group memberships of a
user?
If so, then perhaps the solution here is to pull that information when
configured to do so, similar to the group support within SAML.
- Mike
Re: Database default group for auto-created accounts?
Posted by Mike Jumper <mj...@apache.org>.
On Mon, Jul 13, 2020, 09:17 BolleoOg <m....@gmail.com> wrote:
> This requested feature is what's holding me off from deploying Guacamole.
> I'm
> using OpenID for auth and and RDP with NLA.
I think allowing the groups associated with users authenticated by OpenID
to be defined would be a better approach.
New users should be able to set
> up their own connection and credentials as OpenID cannot pass them.
Allowing users to create their own connections is not recommended, as it is
an admin-level permission. The ability to create connections is the ability
to connect to any server on the network and to access the local resources
of the Guacamole server, perhaps including the filesystem. It really should
only be system administrators that are granted this permission
Looking into mechanisms that would allow credential passthrough alongside
OpenID would be better. Perhaps support for using a key vault?
- Mike
Re: Database default group for auto-created accounts?
Posted by BolleoOg <m....@gmail.com>.
This requested feature is what's holding me off from deploying Guacamole. I'm
using OpenID for auth and and RDP with NLA. New users should be able to set
up their own connection and credentials as OpenID cannot pass them. I like
users to sign in with Office 365 and Azure MFA which would allow them access
to Guacamole if set up with OpenID. They should be able to create and update
their own connection. I also would love if the connection would start
automatically at login in, but that does not seem to work if the user has
'UPDATE' permission. It does work with 'READ' permission but then they
cannot update their connection.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: Database default group for auto-created accounts?
Posted by Nick Couchman <vn...@apache.org>.
On Tue, Jun 30, 2020 at 18:01 dynz <dy...@huntergroup.co.nz.invalid> wrote:
> Hi,
>
> Great release by the way!
>
> I'm using RADIUS and MySQL for authentication, with MySQL holding
> connections and groups.
> If I use
> mysql-auto-create-accounts: true
> can I define a Group in MySQL with a certain name so that the auto-created
> users will automatically be defined as members of that Group? If so, what
> is
> the that certain Group name.
>
No, there is no way to accomplish that with the auto creation process.
I’ve thought in the past about some way to assign either default
permissions or membership to new users, or some way to grant permissions to
all authenticated users. However, another part of me says that those
methods are just work-arounds for proper group and permissions management -
a big part of which it’s making sure that all of the extensions support
some method of providing group membership.
I’m interested to hear what others think.
-Nick