Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1014

LDAP + MySQL DB user does not get connections applied to LDAP group

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 1.1.0
    • Fix Version/s: None
    • Component/s: guacamole-auth-ldap
    • Labels:
      None

      Description

      I have installed Guacamole 1.1.0 and configured it to use our Samba AD server as LDAP + MySQL DB.  Logins work fine, but when I add connections to a standard LDAP group, and users login who are in those groups, they cannot access the connections.  As a result, when users login, they have access to no connections.  I have 1000 users I have to either manually add connections for, or I have to write code to manually pre-add the users to the MySQL DB so they will have connections.    I've written the mailing list, but there has been no feedback.  I believe this is a bug.

      1) Users and groups are in CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca:

      CN=<user>,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca

      CN=<group>,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca

      For Guacamole ldap-group-base-dn: CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca

      For Guacamole ldap-group-name-attribute: cn

      But there's no option for me to specify: ldap-group-search-filter: objectClass=group

      I also add: ldap-member-attribute: member

      From the command prompt, I can print the groups using:

      ldapsearch -x -h <ldap server> -D "<me>" -W -b "dc=ad,dc=eecs,dc=yorku,dc=ca" "(objectClass=group)"

      Because of lack of ldap-group-search-filter, my list of groups in Guacamole contains all the users as well!

      If I want to see who are the members of a group from the command line I can do:

      ldapsearch -x -h <ldap server> -D "<me>" -W -b "cn=Domain Admins,cn=Users,dc=ad,dc=eecs,dc=yorku,dc=ca" member

      2) I could live with the fact that the users appear in my group list because there's no way for me to specify ldap-group-search-filter.  However, if I take a group that appears in the list (eg. Domain Users), and I add connections then when a user logs in who is in the group, they don't get the connections.    This seems like a bug to me.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              kangaroo22 Jason Keltz
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: