[
https://issues.apache.org/jira/browse/GUACAMOLE-284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16021156#comment-16021156
]
Nick Couchman edited comment on GUACAMOLE-284 at 5/23/17 12:58 PM:
-------------------------------------------------------------------
{quote}
While it's true that account restrictions defined within the database auth
shouldn't affect whether another authentication mechanism succeeds/fails, I'd
say those restrictions should still take effect when it comes to providing
access to the data actually defined within the database.
{quote}
I agree. I was commenting on how it currently works, not, necessarily, on how
it should work :-). However, the flip-side of this is making sure that it's
understood how to properly secure database accounts in the above scenario, if
necessary, to prevent accounts that may not have a password set on them from
being exploited. That may already be taken care of in the Guacamole code - I
did try to create a database user without a password and log in with it and it
did not work, so this may not be a concern at all? Anyway, I agree that
disabling the account in the DB module should result in the connection
information for that user being inaccessible, even if another module succeeds.
was (Author: [email protected]):
> While it's true that account restrictions defined within the database auth
> shouldn't affect whether another authentication mechanism succeeds/fails, I'd
> say those restrictions should still take effect when it comes to providing
> access to the data actually defined within the database.
I agree. I was commenting on how it currently works, not, necessarily, on how
it should work :-). However, the flip-side of this is making sure that it's
understood how to properly secure database accounts in the above scenario, if
necessary, to prevent accounts that may not have a password set on them from
being exploited. That may already be taken care of in the Guacamole code - I
did try to create a database user without a password and log in with it and it
did not work, so this may not be a concern at all? Anyway, I agree that
disabling the account in the DB module should result in the connection
information for that user being inaccessible, even if another module succeeds.
> When using ldap with MySQL backend "Account Restrictions" doesn't work
> ----------------------------------------------------------------------
>
> Key: GUACAMOLE-284
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-284
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap,
> guacamole-client
> Affects Versions: 0.9.12-incubating
> Reporter: Mark van den Boogaard
>
> When using LDAP authentication and a MySQL backend the options under "Account
> Restrictions" are not working.
> When we set the option "Disabled" or "Enable/Disable account after" this has
> no effect.
> For us the users who managing Guacamole (users and connections) do not have
> access to LDAP to enable/disable accounts. So it would be nice to do have
> these options working when using LDAP authentication with MySQL
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
