Guacamole ldap-group-base-dn

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Guacamole ldap-group-base-dn

Carter Sema

I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.

 

Anyone have suggestions or solutions that they have implemented?

 

Thanks!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole ldap-group-base-dn

vnick
On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <[hidden email]> wrote:

I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.

 


Using that method requires that you store the connection information inside LDAP, which requires schema modifications.

If you stack authentication modules, like JDBC and LDAP, you can have users log in with LDAP, make sure those same users are created in JDBC, and then assign the permissions to the user accounts objects in the JDBC module.  As long as the LDAP and JDBC usernames match, this will map through.

-Nick 

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole ldap-group-base-dn

eberndt
In reply to this post by Carter Sema
Carter,

This should be possible without any schema change. We use an AD Security Group to restrict which users are permitted to access the RD Server (regardless of the protocol). Within Guacamole.properties you can use the ldap-user-search filter to restrict which users are able to login through Guacamole.

For example, we use the Root OU as the ldap-user-base-dn (which afaik has to be the root OU). Than have the following lda-user-search-filter in place:

ldap-user-search-filter: (memberOf=<CN=ADSECURITYGROUP>,ou=<GROUP>,OU=<ORGAZATIONALUNIT>,DC=<DOMAIN>,DC=<DOMAINSUFFIX>)


Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <[hidden email]> wrote:

I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.

 

Anyone have suggestions or solutions that they have implemented?

 

Thanks!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 


Reply | Threaded
Open this post in threaded view
|

Re: Guacamole ldap-group-base-dn

eberndt
In reply to this post by Carter Sema
I should also mention we use MySQL to store user attributes. Not sure of your specific setup. 

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <[hidden email]> wrote:

I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.

 

Anyone have suggestions or solutions that they have implemented?

 

Thanks!

 

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 


Reply | Threaded
Open this post in threaded view
|

Re: Guacamole ldap-group-base-dn

vnick
In reply to this post by eberndt
On Tue, Oct 17, 2017 at 2:37 PM, Erik Berndt <[hidden email]> wrote:
Carter,

This should be possible without any schema change. We use an AD Security Group to restrict which users are permitted to access the RD Server (regardless of the protocol). Within Guacamole.properties you can use the ldap-user-search filter to restrict which users are able to login through Guacamole.

For example, we use the Root OU as the ldap-user-base-dn (which afaik has to be the root OU). Than have the following lda-user-search-filter in place:

ldap-user-search-filter: (memberOf=<CN=ADSECURITYGROUP>,ou=<GROUP>,OU=<ORGAZATIONALUNIT>,DC=<DOMAIN>,DC=<DOMAINSUFFIX>)


This does, indeed, allow you to restrict who can log into Guacamole, but does not let you assign individual connections to certain users or groups of users.

-Nick 

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole ldap-group-base-dn

eberndt
Whoops, guess I missed that part in the op. Nevermind!

On Tuesday, October 17, 2017, Nick Couchman <[hidden email]> wrote:

> On Tue, Oct 17, 2017 at 2:37 PM, Erik Berndt <[hidden email]> wrote:
>>
>> Carter,
>> This should be possible without any schema change. We use an AD Security Group to restrict which users are permitted to access the RD Server (regardless of the protocol). Within Guacamole.properties you can use the ldap-user-search filter to restrict which users are able to login through Guacamole.
>> For example, we use the Root OU as the ldap-user-base-dn (which afaik has to be the root OU). Than have the following lda-user-search-filter in place:
>> ldap-user-search-filter: (memberOf=<CN=ADSECURITYGROUP>,ou=<GROUP>,OU=<ORGAZATIONALUNIT>,DC=<DOMAIN>,DC=<DOMAINSUFFIX>)
>
> This does, indeed, allow you to restrict who can log into Guacamole, but does not let you assign individual connections to certain users or groups of users.
> -Nick 
>

--
Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?  
http://FixIT.superiorpaving.net/portal or [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Guacamole ldap-group-base-dn

Carter Sema
In reply to this post by vnick

Is it possible to use already existing AD fields that LDAP reads? Or does it only read the Guacamole AD Fields from its schema modification? Can guacamole read any AD Group from the App at all? Can’t the Security group that controls login hold some kind of connection data?

(using ad security groups to control login is amazing, love that feature)

 

I had just tested doing it the way you suggested, and it works, just means I have to load users individually or script an import. Has anyone used a GUI SQL tool such as Oracle SQL Developer or RazorSQL to pull data from the guacamole SQL tables and modify?

 

Thanks!

Carter Sema

Network Support Specialist

[hidden email]

CertBadge_Administrator_web

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Tuesday, October 17, 2017 2:27 PM
To: [hidden email]
Subject: Re: Guacamole ldap-group-base-dn

 

On Tue, Oct 17, 2017 at 2:14 PM, Carter Sema <[hidden email]> wrote:

I read the following article https://issues.apache.org/jira/browse/GUACAMOLE-12 when I was looking for how to assign connections to LDAP users. From the article it sounds like I can use AD Security Groups? Is this possible without updating my Schema? Updating my Schema is off the table for options. So im looking for the 2nd best without needing to import a ton of users into the guac sql database.

 

 

Using that method requires that you store the connection information inside LDAP, which requires schema modifications.

 

If you stack authentication modules, like JDBC and LDAP, you can have users log in with LDAP, make sure those same users are created in JDBC, and then assign the permissions to the user accounts objects in the JDBC module.  As long as the LDAP and JDBC usernames match, this will map through.

 

-Nick 

 

Reply | Threaded
Open this post in threaded view
|

Re: Guacamole ldap-group-base-dn

vnick
On Tue, Oct 17, 2017 at 3:04 PM, Carter Sema <[hidden email]> wrote:

Is it possible to use already existing AD fields that LDAP reads? Or does it only read the Guacamole AD Fields from its schema modification? Can guacamole read any AD Group from the App at all? Can’t the Security group that controls login hold some kind of connection data?

(using ad security groups to control login is amazing, love that feature)

 

I had just tested doing it the way you suggested, and it works, just means I have to load users individually or script an import. Has anyone used a GUI SQL tool such as Oracle SQL Developer or RazorSQL to pull data from the guacamole SQL tables and modify?


The way the module is currently implemented, if you want to store the actual connection information in LDAP, you need to modify the schema.  There is no way (currently) to configure what LDAP attributes the extension looks at to get things like connection name, parameters, etc.

The LDAP module can read users and groups without any schema modification; however, unless you're storing the connections themselves in LDAP, there's no way to map those LDAP groups, in particular, to connections.  Guacamole doesn't support groups internally at the moment, so the only way the LDAP groups work is because it's using LDAP searches to limit the results it gets back.  So, for this to work, everything has to be in LDAP.

There's a JIRA issue out there to add group support to Guacamole, so hopefully this will change in the future, and maybe there will be some mapping for groups between the LDAP module and the JDBC module, depending on how that's implemented, but that remains to be seen.

You should definitely be able to use scripts or a graphical tool to manipulate the Guacamole DB directly, or write an external script/tool to automate that.

-Nick