Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1086

Add support for nested LDAP groups

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: guacamole-auth-ldap
    • Environment:
      Guacamole 1.1.0 with mysql (mariadb) on Ubuntu 18.04 + tomcat9 + Windows 2019 AD bound to guacamole via LDAPS over 636.

      Description

      Hi,

      We've recently deployed Guacamole 1.1.0 in an environment with Active Driectory and seem to be having a problem with managing connection permissions via nested groups.
      Here's an ilustration of what we're running into:

      User "joe" is a member of group "A" and that group is nested inside a parent group "B".
      We are tryign to grant connection permissions to group "B", so that joe and member of any other future subgroup nested inside group "B" will automatically be granted acces to that same connection.

      This does not seem to be working as we'd expect, and only works when we grant connection permission directly to group "A" (subgroup). In other words granting connection permission to the parent group does not seem to be working - joe logs-in but can't see any connections.

       

      Here's what it looks like in terms of hierarchy:
      Group B (granting connection permissions here does not work)
         -> Group A (granting connection permission here works)
                 ->joe

      All the AD groups are reflected in Guacamole's "Groups" menu, so this does not seem to be an "ldap-group-base-dn" parameter issue.

      We already tried using the LDAP filter: "ldap-group-search-filter:

      ldap-group-search-filter:(&(objectclass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=Group B,OU=Farm Access,OU=Groups,OU=Lab,DC=domain,DC=local))
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ptrbrzozowski Piotrek
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: