Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Implemented
-
None
-
None
-
Oracle Solaris 11.3.19.5.0, Apache Tomcat 8.5.9, OpenLDAP 2.4.30, LDAP users are organized using the posixGroup scheme.
-
Patch
Description
Recently, the auth-ldap module was extended by the ability to grant access to remote terminal connections based on existing LDAP groups using the seeAlso attribute in Guacamole's LDAP-based configuration settings. This is a great feature if you've to manage a lot of users which are already organized in LDAP groups. It works well as long as the groups are of the scheme groupOfNames. As we have decided for posixGroup (due to other tools' requirements), we currently cannot use the feature and still have to list all users individually in the Guacamole remote service configuration. While this could be scripted easily, it is still a work-around which makes the administration work unnecessarily complex.
A better solution would be to support both schemes, posixGroup and groupOfNames.
The attached patch will extend the user lookup code by the ability to search not only through the groupOfNames but also through the posixGroup scheme. The piece of code seems to work with both schemes in my tests successfully, I am not sure if there are any pitfalls when just combining the possible results. Maybe introducing a configuration flag to choose whether searching posixGroup or groupOfNames would be a better approach.