You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by Thomas Besser <th...@kit.edu> on 2021/02/16 16:29:32 UTC

Retrieve user groups from LDAP (was: "Default connections" for all authenticated users?)

Am 16.02.21 um 14:26 schrieb Thomas Besser:
> Am 16.02.21 um 09:45 schrieb Mike Jumper:
>> 2) Make sure Guacamole is configured to retrieve user groups from LDAP.
> 
> Yes, I forgot that I read about that a few days ago. I tried once
> without success to retrieve groups from LDAP. But that may be based on
> the complex situation regarding LDAP here.
> 
> It's a centralized LDAP server, I can access all relevant users and
> groups (according to LDAP_SEARCH_BIND_DN, like
> cn=admin,dc=example,dc=org), but this account is not within
> LDAP_USER_BASE_DN or LDAP_GROUP_BASE_DN. So it is not possible to login
> to guacamole web interface with this account.
> 
> If I read https://guacamole.apache.org/doc/gug/ldap-auth.html correct,
> it should be possible, to create that LDAP group manually in database
> with the same name!?
> 
> Adding a user (without a password) and configure connections to this
> does work. But creating a group with the same name as in LDAP does not.
> 
> The according ldap group is of type "posixGroup" with "memberUid" as
> "ldap-member-attribute" and "uid" as "ldap-member-attribute-type".
> Probably that is the reaseon.
> 
> https://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-ldap
> does not mention anything to configure this with "optional environment
> variables"
> 
> I tried to set environment variables for docker:
> -e LDAP_MEMBER_ATTRIBUTE=memberUid \
> -e LDAP_MEMBER_ATTRIBUTE_TYPE=uid \
> 
> But did not work.

A look into the docker container "guacamole" shows that the environment 
variables above found the way into the file "guacamole.properties". 
There now exists two lines with...

ldap-member-attribute: memberUid
ldap-member-attribute-type: uid

But still no connections are shown when I login with a ldap account 
which is member of the configured group.

Am I missing something else?

Regards
Thomas

-- 
Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
http://www.arch.kit.edu/fakultaet/it-management.php

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft