Re: Syn Azure Ad and Guacamole
On Tue, Nov 30, 2021 at 2:21 AM Bryan Ohana wrote: > Ok i get it thanks Mike ! > Can I ask for an additional question. I would like to use guacamole to > assign dynamic VDI to users ( 1 VM always ready so if user A log into > guacamole and get the VM and user 2 comes in he should get the new VM > created that has another IP and host name) do you know how that is working ? > > Not at this point, no. I set out a year or so ago to try to create something like this - an extension that would manage VMs or compute instances, clone/create, start/stop, etc. But I haven't had time to work on it. Guacamole does support load balancing groups that allow you to put a bunch of systems behind a single connection group and have Guacamole take care of assigning users based on the thresholds you set (max users per connection, etc.), but it doesn't have any built-in support for managing those systems. I think there are some folks out there that have cooked up their own extensions that at least handle the start/stop of back-end machines to help with load and cost management, but nothing has made it into mainline code, yet. -Nick
Re: Syn Azure Ad and Guacamole
Ok i get it thanks Mike ! Can I ask for an additional question. I would like to use guacamole to assign dynamic VDI to users ( 1 VM always ready so if user A log into guacamole and get the VM and user 2 comes in he should get the new VM created that has another IP and host name) do you know how that is working ? > Le 30 nov. 2021 à 05:24, Mike Jumper a écrit : > > >> On Sun, Nov 28, 2021 at 11:02 PM Bryan Ohana >> wrote: > >> Hi Mike >> >> >> >> Oh my gosh I was doing everything wrong … NOW I can see my users, I should >> be able to see my groups as well right ? >> > > If you map them as you did users, yes. You will need to provide the base DN > of those groups (see "ldap-group-base-dn"). > > Note that this is different from the "config" base DN, which is the base DN > of the "guacConfigGroup" objects used to represent connections. This is only > needed if you will be storing connection data directly in LDAP via schema > modifications, which is rare. > > - Mike >
Re: Syn Azure Ad and Guacamole
On Sun, Nov 28, 2021 at 11:02 PM Bryan Ohana wrote: > Hi Mike > > > > Oh my gosh I was doing everything wrong … NOW I can see my users, I should > be able to see my groups as well right ? > If you map them as you did users, yes. You will need to provide the base DN of those groups (see "ldap-group-base-dn"). Note that this is different from the "config" base DN, which is the base DN of the "guacConfigGroup" objects used to represent connections. This is only needed if you will be storing connection data directly in LDAP via schema modifications, which is rare. - Mike
Re: Syn Azure Ad and Guacamole
On Sun, Nov 28, 2021 at 9:18 AM Bryan Ohana wrote: > Hi Mike ! > > > > Thanks for that I have connected my LDAPS with guacamole with the > following guacamole properties BUT when I log in I get the error “ERR_13207 > VALUE ALREADY EXIST” Already exists in the attribute. The error allow me to > log in but even as Global Administrator I have NO admin rights on > Guacamole… Any Insights ? > > Can you confirm that, when attempting to log in as an administrator: * You are logging in with LDAP credentials (the username matches the "sAMAccountName" attribute of an account in LDAP, and the password you are using is what has been set for that account in LDAP) * The username that you provide is also identical to the username of a database user having admin privileges, such as "guacadmin" * The password being provided is distinct from the password set for that user in MySQL, if any. (The MySQL extension has a filename that sorts earlier than the LDAP extension, and so will get the first shot at authenticating the user. If it's MySQL that successfully authenticates the user, the LDAP extension won't attempt to retrieve anything. The MySQL extension, on the other hand, will gladly trust the authentication result of the LDAP extension and provide additional data.) For example, if: 1) There is a user in your LDAP directory with "sAMAccountName" set to "guacadmin". 2) The "guacadmin" user exists in your MySQL database and has admin permissions. 3) You log in with the username "guacadmin" and the LDAP password of the LDAP user mentioned in #1 above. then you will have access to the admin UI of Guacamole (by virtue of having admin permissions granted within the database), and you will be able to see LDAP users within the overall user list as Guacamole will automatically unify the available users of both the LDAP and MySQL datasources. - Mike
Re: Syn Azure Ad and Guacamole
On Fri, Nov 26, 2021, 04:00 Bryan Ohana wrote: > I have attached my Guacamole.properties, I’m logging with one Domain admin > on Azure AD and I cannot see any other Azure AD users in the User List on > Guacamole.. > Ah, OK - I missed the part of your initial email where you said you are using OpenID, and instead saw "AD" and assumed "LDAP". With OpenID (or any SSO), Guacamole will receive only an assertion of a user's identity when they log in, but otherwise has no means of knowing anyone exists, regardless of what backend is behind that OpenID implementation. User information flows in purely on a user-by-user basis. To see users within AD, you will need to authenticate using LDAP. Guacamole will then be able to bind directly to your AD server using LDAP and issue queries. - Mike
Re: Syn Azure Ad and Guacamole
On Fri, Nov 26, 2021, 02:13 Bryan Ohana wrote: > Hi Everyone ! > > I have configure guacamole and Azure Ad with Open ID and I’m able to > connect fine with my AD accounts. > The only problem is that the accounts in Guacamole are created only after > I log in and not automatically synchronized with the existing users in AD. > > How can we synchronized Azure AD users to automatically exist in Guacamole > ? > You don't, actually - synchronization is not necessary. If you want your AD users to appear in Guacamole's user list when an admin logs in, you just need to ensure that said admin exists in both AD and the Guacamole database, with their AD counterpart at least having permission to query AD users. See: https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database - Mike
Syn Azure Ad and Guacamole
Hi Everyone ! I have configure guacamole and Azure Ad with Open ID and I’m able to connect fine with my AD accounts. The only problem is that the accounts in Guacamole are created only after I log in and not automatically synchronized with the existing users in AD. How can we synchronized Azure AD users to automatically exist in Guacamole ? Thanks a lot !! - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
