You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Östh Mikael <Mi...@tillvaxtanalys.se> on 2016/05/31 12:33:23 UTC
Map LDAP goups to connections
Hi
I have Guacamole set up with both MySQL and LDAP (MS AD) authentication. The guacadmin user is also in AD so LDAP users and groups are populated in WebGUI.
I would like to make so that everyone that is member of an AD group gets a specific connection profile.
But when I map a connection to this populated AD group, its members are still not getting the connection when they login.
The only way I can map a user to a connection is to open every individually user and set its connection, that cannot be the intended way?
Mikael Osth
Growth Analysis
IT-support
Studentplan 3, SE-831 40 Ostersund
Tel: +46 10 447 44 19
email: mikael.osth@tillvaxtanalys.se<ma...@tillvaxtanalys.se>
www.tillvaxtanalys.se<http://www.tillvaxtanalys.se>
RE: Map LDAP goups to connections
Posted by Östh Mikael <Mi...@tillvaxtanalys.se>.
I have found an answer in the current development sprint, it seems that I would be supported in the next release
Best Regards
Mikael Osth
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: den 18 juni 2016 05:33
To: user@guacamole.incubator.apache.org
Subject: Re: Map LDAP goups to connections
On Wed, Jun 1, 2016 at 11:16 PM, Östh Mikael <Mi...@tillvaxtanalys.se>> wrote:
Thank you for the prompt reply. Then I guess the only way for us to bulk manage users is via AD schema modification or by editing the MySQL database directly?
Correct.
- Mike
Re: Map LDAP goups to connections
Posted by Mike Jumper <mi...@guac-dev.org>.
On Wed, Jun 1, 2016 at 11:16 PM, Östh Mikael <Mi...@tillvaxtanalys.se>
wrote:
> Thank you for the prompt reply. Then I guess the only way for us to bulk
> manage users is via AD schema modification or by editing the MySQL database
> directly?
>
>
Correct.
- Mike
RE: Map LDAP goups to connections
Posted by Östh Mikael <Mi...@tillvaxtanalys.se>.
Thank you for the prompt reply. Then I guess the only way for us to bulk manage users is via AD schema modification or by editing the MySQL database directly?
Best Regards
Mikael Osth
From: Mike Jumper [mailto:mike.jumper@guac-dev.org]
Sent: den 2 juni 2016 05:33
To: user@guacamole.incubator.apache.org
Subject: Re: Map LDAP goups to connections
On May 31, 2016 5:34 AM, "Östh Mikael" <Mi...@tillvaxtanalys.se>> wrote:
>
> Hi
>
> I have Guacamole set up with both MySQL and LDAP (MS AD) authentication. The guacadmin user is also in AD so LDAP users and groups are populated in WebGUI.
>
> I would like to make so that everyone that is member of an AD group gets a specific connection profile.
>
> But when I map a connection to this populated AD group, its members are still not getting the connection when they login.
>
> The only way I can map a user to a connection is to open every individually user and set its connection, that cannot be the intended way?
>
Hi Mikael,
The prescribed way to control access to connections using LDAP groups is via the LDAP schema modifications:
http://guacamole.incubator.apache.org/doc/gug/ldap-auth.html#ldap-schema-changes
This level of control is currently provided only by the LDAP backend, mainly because the extension API does not yet represent user groups.
Supporting groups within Guacamole in general is planned, and so this should be possible with the MySQL/PostgreSQL backends eventually, but for the time being the best way to accomplish this is through using purely LDAP.
Thanks,
- Mike
Re: Map LDAP goups to connections
Posted by Mike Jumper <mi...@guac-dev.org>.
On May 31, 2016 5:34 AM, "Östh Mikael" <Mi...@tillvaxtanalys.se>
wrote:
>
> Hi
>
> I have Guacamole set up with both MySQL and LDAP (MS AD) authentication.
The guacadmin user is also in AD so LDAP users and groups are populated in
WebGUI.
>
> I would like to make so that everyone that is member of an AD group gets
a specific connection profile.
>
> But when I map a connection to this populated AD group, its members are
still not getting the connection when they login.
>
> The only way I can map a user to a connection is to open every
individually user and set its connection, that cannot be the intended way?
>
Hi Mikael,
The prescribed way to control access to connections using LDAP groups is
via the LDAP schema modifications:
http://guacamole.incubator.apache.org/doc/gug/ldap-auth.html#ldap-schema-changes
This level of control is currently provided only by the LDAP backend,
mainly because the extension API does not yet represent user groups.
Supporting groups within Guacamole in general is planned, and so this
should be possible with the MySQL/PostgreSQL backends eventually, but for
the time being the best way to accomplish this is through using purely LDAP.
Thanks,
- Mike