You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Thomas Besser <th...@kit.edu> on 2021/02/16 08:38:28 UTC
"Default connections" for all authenticated users?
Hi all,
I'm new to guacamole and want to realize access for students to our
computer pools.
Installed guacamole via docker successfully, configured database
authentication (postgres) and additionally LDAP because all student
accounts are included there. Access to the computers occurs with RDP,
for passing through authentication informations ${GUAC_USERNAME} and
${GUAC_PASSWORD} works great.
I read about storing connections in LDAP, but that is no feasible here.
Connections should be stored in postgres. The problem is now, that I
have to configure each user manually in database (create user without
password, adding to group with connection rights). Otherwise the
authentication with LDAP succeeds but no connections are shown.
Is there any way, to configure "default connections" in database which
are shown to all authenticated users?
I tried to create a user called "${GUAC_USERNAME}" and added this
account to a group with connections. But that did not work ;-)
Regards
Thomas
--
Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
http://www.arch.kit.edu/fakultaet/it-management.php
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Retrieve user groups from LDAP (was: "Default connections" for all
authenticated users?)
Posted by Thomas Besser <th...@kit.edu>.
Am 16.02.21 um 14:26 schrieb Thomas Besser:
> Am 16.02.21 um 09:45 schrieb Mike Jumper:
>> 2) Make sure Guacamole is configured to retrieve user groups from LDAP.
>
> Yes, I forgot that I read about that a few days ago. I tried once
> without success to retrieve groups from LDAP. But that may be based on
> the complex situation regarding LDAP here.
>
> It's a centralized LDAP server, I can access all relevant users and
> groups (according to LDAP_SEARCH_BIND_DN, like
> cn=admin,dc=example,dc=org), but this account is not within
> LDAP_USER_BASE_DN or LDAP_GROUP_BASE_DN. So it is not possible to login
> to guacamole web interface with this account.
>
> If I read https://guacamole.apache.org/doc/gug/ldap-auth.html correct,
> it should be possible, to create that LDAP group manually in database
> with the same name!?
>
> Adding a user (without a password) and configure connections to this
> does work. But creating a group with the same name as in LDAP does not.
>
> The according ldap group is of type "posixGroup" with "memberUid" as
> "ldap-member-attribute" and "uid" as "ldap-member-attribute-type".
> Probably that is the reaseon.
>
> https://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-ldap
> does not mention anything to configure this with "optional environment
> variables"
>
> I tried to set environment variables for docker:
> -e LDAP_MEMBER_ATTRIBUTE=memberUid \
> -e LDAP_MEMBER_ATTRIBUTE_TYPE=uid \
>
> But did not work.
A look into the docker container "guacamole" shows that the environment
variables above found the way into the file "guacamole.properties".
There now exists two lines with...
ldap-member-attribute: memberUid
ldap-member-attribute-type: uid
But still no connections are shown when I login with a ldap account
which is member of the configured group.
Am I missing something else?
Regards
Thomas
--
Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
http://www.arch.kit.edu/fakultaet/it-management.php
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Re: Retrieve user groups from LDAP (was: "Default connections" for
all authenticated users?)
Posted by Mike Jumper <mi...@glyptodon.com>.
On Wed, Feb 17, 2021 at 6:51 AM Thomas Besser <th...@kit.edu> wrote:
> Am 16.02.21 um 19:05 schrieb Mike Jumper:
> > ...
> > If you authenticate with your LDAP directory using a generic LDAP search
> > tool and a normal LDAP account (the type of account one of your students
> > would use), are you able to query your own group memberships?
>
> No, that does not work. You can only see/find your own account.
>
> But therefore the LDAP_SEARCH_BIND_DN with the LDAP_SEARCH_BIND_PASSWORD
> is configured. With that you can see all users and groups.
>
I think this may be what is causing your trouble. The search bind DN is
used by Guacamole *only for name resolution*. It allows Guacamole to
transform the DN of a user or group into a simple username or group name
via an LDAP query. Once that translation has been performed, the user
authenticates by binding with their LDAP credentials and object visibility
will be dictated by their own LDAP permissions. If the user cannot see
their own group memberships, then Guacamole will not be able to see them
either.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.
Retrieve user groups from LDAP (was: "Default connections" for all
authenticated users?)
Posted by Thomas Besser <th...@kit.edu>.
Am 16.02.21 um 19:05 schrieb Mike Jumper:
> On Tue, Feb 16, 2021 at 5:26 AM Thomas Besser <thomas.besser@kit.edu
> <ma...@kit.edu>> wrote:
> The according ldap group is of type "posixGroup" with "memberUid" as
> "ldap-member-attribute" and "uid" as "ldap-member-attribute-type".
> Probably that is the reaseon.
>
> https://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-ldap
>
> does not mention anything to configure this with "optional environment
> variables"
>
> I tried to set environment variables for docker:
> -e LDAP_MEMBER_ATTRIBUTE=memberUid \
> -e LDAP_MEMBER_ATTRIBUTE_TYPE=uid \
>
> But did not work.
>
> Any hint how I can debug this?
>
>
> Can you share the other environment variables and the relevant structure
> of your LDAP directory? What is the DN of the group in question and your
> LDAP_GROUP_BASE_DN?
Here the environment variables according ldap (extracted from
'guacamole.properties' and anonymized):
ldap-hostname: ldap.example.com
ldap-user-base-dn: ou=Users,dc=example,dc=com
ldap-port: 636
ldap-encryption-method: ssl
ldap-search-bind-dn: cn=admin,dc=example,dc=com
ldap-search-bind-password: secret
ldap-member-attribute: memberUid
ldap-group-base-dn: ou=Groups,dc=example,dc=com
ldap-member-attribute-type: uid
The DN of the group (type of posixGroup, attribute type memberUid) in
question is "cn=test,ou=Groups,dc=example,dc=com"
> If you authenticate with your LDAP directory using a generic LDAP search
> tool and a normal LDAP account (the type of account one of your students
> would use), are you able to query your own group memberships?
No, that does not work. You can only see/find your own account.
But therefore the LDAP_SEARCH_BIND_DN with the LDAP_SEARCH_BIND_PASSWORD
is configured. With that you can see all users and groups.
Regards
Thomas
--
Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
http://www.arch.kit.edu/fakultaet/it-management.php
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Re: "Default connections" for all authenticated users?
Posted by Mike Jumper <mi...@glyptodon.com>.
On Tue, Feb 16, 2021 at 5:26 AM Thomas Besser <th...@kit.edu> wrote:
> Am 16.02.21 um 09:45 schrieb Mike Jumper:
> > Is there any way, to configure "default connections" in database
> which
> > are shown to all authenticated users?
> >
> > There is no way to grant access to simply all authenticated users (and
> > that would probably be dangerous), but you can achieve what you're
> > looking for with groups. You don't need to create any of these users
> > within the database. All you need to do is:
>
> Thanks for clarification.
>
> > 1) Create a user group within LDAP that each of the student accounts is
> > a member of (if this doesn't already exist)
>
> Such a group already exists.
>
> > 2) Make sure Guacamole is configured to retrieve user groups from LDAP.
>
> Yes, I forgot that I read about that a few days ago. I tried once
> without success to retrieve groups from LDAP. But that may be based on
> the complex situation regarding LDAP here.
>
> It's a centralized LDAP server, I can access all relevant users and
> groups (according to LDAP_SEARCH_BIND_DN, like
> cn=admin,dc=example,dc=org), but this account is not within
> LDAP_USER_BASE_DN or LDAP_GROUP_BASE_DN. So it is not possible to login
> to guacamole web interface with this account.
>
> If I read https://guacamole.apache.org/doc/gug/ldap-auth.html correct,
> it should be possible, to create that LDAP group manually in database
> with the same name!?
>
> Adding a user (without a password) and configure connections to this
> does work. But creating a group with the same name as in LDAP does not.
>
> The according ldap group is of type "posixGroup" with "memberUid" as
> "ldap-member-attribute" and "uid" as "ldap-member-attribute-type".
> Probably that is the reaseon.
>
>
> https://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-ldap
> does not mention anything to configure this with "optional environment
> variables"
>
> I tried to set environment variables for docker:
> -e LDAP_MEMBER_ATTRIBUTE=memberUid \
> -e LDAP_MEMBER_ATTRIBUTE_TYPE=uid \
>
> But did not work.
>
> Any hint how I can debug this?
Can you share the other environment variables and the relevant structure of
your LDAP directory? What is the DN of the group in question and your
LDAP_GROUP_BASE_DN?
If you authenticate with your LDAP directory using a generic LDAP search
tool and a normal LDAP account (the type of account one of your students
would use), are you able to query your own group memberships?
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.
Re: "Default connections" for all authenticated users?
Posted by Thomas Besser <th...@kit.edu>.
Am 16.02.21 um 09:45 schrieb Mike Jumper:
> Is there any way, to configure "default connections" in database which
> are shown to all authenticated users?
>
> There is no way to grant access to simply all authenticated users (and
> that would probably be dangerous), but you can achieve what you're
> looking for with groups. You don't need to create any of these users
> within the database. All you need to do is:
Thanks for clarification.
> 1) Create a user group within LDAP that each of the student accounts is
> a member of (if this doesn't already exist)
Such a group already exists.
> 2) Make sure Guacamole is configured to retrieve user groups from LDAP.
Yes, I forgot that I read about that a few days ago. I tried once
without success to retrieve groups from LDAP. But that may be based on
the complex situation regarding LDAP here.
It's a centralized LDAP server, I can access all relevant users and
groups (according to LDAP_SEARCH_BIND_DN, like
cn=admin,dc=example,dc=org), but this account is not within
LDAP_USER_BASE_DN or LDAP_GROUP_BASE_DN. So it is not possible to login
to guacamole web interface with this account.
If I read https://guacamole.apache.org/doc/gug/ldap-auth.html correct,
it should be possible, to create that LDAP group manually in database
with the same name!?
Adding a user (without a password) and configure connections to this
does work. But creating a group with the same name as in LDAP does not.
The according ldap group is of type "posixGroup" with "memberUid" as
"ldap-member-attribute" and "uid" as "ldap-member-attribute-type".
Probably that is the reaseon.
https://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-ldap
does not mention anything to configure this with "optional environment
variables"
I tried to set environment variables for docker:
-e LDAP_MEMBER_ATTRIBUTE=memberUid \
-e LDAP_MEMBER_ATTRIBUTE_TYPE=uid \
But did not work.
Any hint how I can debug this?
Regards
Thomas
--
Karlsruher Institut für Technologie (KIT)
archIT [IT-Management der Fakultät Architektur]
Dipl.-Ing. Thomas Besser
Gebäude 11.40, Raum 010 | Fon +49 721 608 46024
http://www.arch.kit.edu/fakultaet/it-management.php
KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
Re: "Default connections" for all authenticated users?
Posted by Mike Jumper <mi...@glyptodon.com>.
On Tue, Feb 16, 2021 at 12:38 AM Thomas Besser <th...@kit.edu>
wrote:
> Hi all,
>
> I'm new to guacamole and want to realize access for students to our
> computer pools.
>
> Installed guacamole via docker successfully, configured database
> authentication (postgres) and additionally LDAP because all student
> accounts are included there. Access to the computers occurs with RDP,
> for passing through authentication informations ${GUAC_USERNAME} and
> ${GUAC_PASSWORD} works great.
>
> I read about storing connections in LDAP, but that is no feasible here.
> Connections should be stored in postgres. The problem is now, that I
> have to configure each user manually in database (create user without
> password, adding to group with connection rights). Otherwise the
> authentication with LDAP succeeds but no connections are shown.
>
> Is there any way, to configure "default connections" in database which
> are shown to all authenticated users?
>
> I tried to create a user called "${GUAC_USERNAME}" and added this
> account to a group with connections. But that did not work ;-)
>
There is no way to grant access to simply all authenticated users (and that
would probably be dangerous), but you can achieve what you're looking for
with groups. You don't need to create any of these users within the
database. All you need to do is:
1) Create a user group within LDAP that each of the student accounts is a
member of (if this doesn't already exist)
2) Make sure Guacamole is configured to retrieve user groups from LDAP.
3) Grant that user group access to the connection(s).
Any user that logs in via LDAP that is a member of that group will see
those connections.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://enterprise.glyptodon.com/>.