[
https://issues.apache.org/jira/browse/GUACAMOLE-1014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17078571#comment-17078571
]
Jason Keltz commented on GUACAMOLE-1014:
----------------------------------------
Hi,
I looked at GUACAMOLE-996 which looks to be *exactly* what I'm after. I
haven't compiled a project with Maven before, so I downloaded Maven, checked
out the latest guacamole-client repository, compiled it, then tried to use the
newly compiled ldap extension from 1.2.0 with my 1.1.0 install (seeing that not
that much has changed in the ldap module). However, the system rejected the
auth ldap plugin from 1.2.0 because it wasn't the same running version as
1.1.0. I then downloaded 1.1.0 source, and tried to apply the fix, but then
realized that the fix isn't in the code that I checked out because I don't
think it's been fully merged yet. I tried to follow the discussion, and it
wasn't obvious whether it was accepted to add "ldap-group-search-filter" (as I
think makes the most sense) or just to apply "objectClass=group" automatically.
Once it's approved, and I can figure out how to download the resulting files
from the repository, I can try compiling it and testing it.
As for your other question - yes. The user (like all users) is in an AD group
called "Domain Users". When I access Guacamole groups as admin, I selected the
"Domain Users" group. For connections, I added the "parent" (Linux) and one PC
"ea02". I logged out as me, and back in as the user. The user had no access
to any connections. I don't know how to provide information to you that would
help resolve why this is happening, but it seems like a bug to me. Being able
to work with users existing AD groups is really important to my setup and would
be very helpful.
> LDAP + MySQL DB user does not get connections applied to LDAP group
> -------------------------------------------------------------------
>
> Key: GUACAMOLE-1014
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1014
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 1.1.0
> Reporter: Jason Keltz
> Priority: Major
>
> I have installed Guacamole 1.1.0 and configured it to use our Samba AD server
> as LDAP + MySQL DB. Logins work fine, but when I add connections to a
> standard LDAP group, and users login who are in those groups, they cannot
> access the connections. As a result, when users login, they have access to
> no connections. I have 1000 users I have to either manually add connections
> for, or I have to write code to manually pre-add the users to the MySQL DB so
> they will have connections. I've written the mailing list, but there has
> been no feedback. I believe this is a bug.
> 1) Users and groups are in CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca:
> CN=<user>,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca
> CN=<group>,CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca
> For Guacamole ldap-group-base-dn: CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca
> For Guacamole ldap-group-name-attribute: cn
> But there's no option for me to specify: ldap-group-search-filter:
> objectClass=group
> I also add: ldap-member-attribute: member
> From the command prompt, I can print the groups using:
> ldapsearch -x -h <ldap server> -D "<me>" -W -b "dc=ad,dc=eecs,dc=yorku,dc=ca"
> "(objectClass=group)"
> Because of lack of ldap-group-search-filter, my list of groups in Guacamole
> contains all the users as well!
> If I want to see who are the members of a group from the command line I can
> do:
> ldapsearch -x -h <ldap server> -D "<me>" -W -b "cn=Domain
> Admins,cn=Users,dc=ad,dc=eecs,dc=yorku,dc=ca" member
> 2) I could live with the fact that the users appear in my group list because
> there's no way for me to specify ldap-group-search-filter. However, if I
> take a group that appears in the list (eg. Domain Users), and I add
> connections then when a user logs in who is in the group, they don't get the
> connections. This seems like a bug to me.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
