[jira] [Created] (GUACAMOLE-1014) LDAP + MySQL DB user does not get connections applied to LDAP group

Mon, 06 Apr 2020 17:11:26 -0700 

Jason Keltz created GUACAMOLE-1014:
--------------------------------------

             Summary: LDAP + MySQL DB user does not get connections applied to 
LDAP group
                 Key: GUACAMOLE-1014
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1014
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-auth-ldap
    Affects Versions: 1.1.0
            Reporter: Jason Keltz


I have installed Guacamole 1.1.0 and configured it to use our Samba AD server 
as LDAP + MySQL DB.  Logins work fine, but when I add connections to a standard 
LDAP group, and users login who are in those groups, they cannot access the 
connections.  As a result, when users login, they have access to no 
connections.  I have 1000 users I have to either manually add connections for, 
or I have to write code to manually pre-add the users to the MySQL DB so they 
will have connections.    I've written the mailing list, but there has been no 
feedback.  I believe this is a bug.

1) Users and groups are in CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca:

CN=<user>,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca

CN=<group>,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca

For Guacamole ldap-group-base-dn: CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca

For Guacamole ldap-group-name-attribute: cn

But there's no option for me to specify: ldap-group-search-filter: 
objectClass=group

I also add: ldap-member-attribute: member

>From the command prompt, I can print the groups using:

ldapsearch -x -h <ldap server> -D "<me>" -W -b "dc=ad,dc=eecs,dc=yorku,dc=ca" 
"(objectClass=group)"

Because of lack of ldap-group-search-filter, my list of groups in Guacamole 
contains all the users as well!

If I want to see who are the members of a group from the command line I can do:

ldapsearch -x -h <ldap server> -D "<me>" -W -b "cn=Domain 
Admins,cn=Users,dc=ad,dc=eecs,dc=yorku,dc=ca" member

2) I could live with the fact that the users appear in my group list because 
there's no way for me to specify ldap-group-search-filter.  However, if I take 
a group that appears in the list (eg. Domain Users), and I add connections then 
when a user logs in who is in the group, they don't get the connections.    
This seems like a bug to me.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to