Re: LDAP+database - Credential duplication?

[Jonathan Hankins]

Felix,

There are some examples of generating the salt and hashing the password
correctly for postgres and mysql in the online docs, for various
programming languages. My use case is similar to yours (postgres+LDAP.) I
needed to create users via script with random passwords in postgres, and I
did it in shell script (bash) using the openssl(1) to generate the random
data, salts and do the hashes, some bash as glue and psql to load the data
in the database. It took me some trial and error to translate what was in
the docs online to work in bash, and I'd be happy to share my script if
it'd be useful to you.

-Jonathan Hankins

On Thu, May 10, 2018 at 5:00 PM Nick Couchman  wrote:

> On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
> f.wolfhei...@googlemail.com> wrote:
>
>> I'm trying to set up guacamole with LDAP authentication and would like to
>> use postgresql as storage for the connection parameters. Looking at the
>> provided database schema files for postgresql (001-create-schema.sql), the
>> user information entered into the database requires a password. I'm
>> wondering whether this means that the LDAP user credentials need to be
>> duplicated and entered into the database? The guacamole manual however
>> suggests that once a user is successfully authenticated using the
>> credentials stored in LDAP, the guacamole database will trust this user and
>> will use the information present in the database for this user (
>> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>>
>
> Yes, this is correct.
>
>> "Data can be manually associated with LDAP users by creating
>> corresponding user accounts within the database which each have the same
>> usernames as valid LDAP users. As long as the username is identical, a
>> successful login attempt against LDAP will be trusted by the database
>> authentication, and that user's associated data will be visible."
>>
>> Actually, I'd like to prevent storing password information in the
>> database and only use the LDAP passwords for authentication. Is this
>> supposed to work? May I just adjust the database schema and leave the
>> password field empty?
>>
> The password for the user from LDAP is not copied to or stored in the
> database.  The database does require a user password to be set; however, if
> you leave this blank when creating users in the admin interface one will be
> randomly generated.  Similarly, if you are importing users directly into
> the database you could generate random values for this field and the LDAP
> authentication will still work, and it will *not* update/store the LDAP
> password in the DB.
>
>
>> BTW: Thanks for providing this great product. I've used it to host
>> workshops for up to 50 people, providing each of them access to a graphical
>> desktop. It's working great. :-)
>>
>>
> Glad you like it and it is working out for you - I always love hearing
> real-life success stories!
>
> -Nick
>


-- 

Jonathan HankinsHomewood City Schools

jhank...@homewood.k12.al.us


-- 
This e-mail is intended only for the recipient and may contain confidential 
or proprietary information. If you are not the intended recipient, the 
review, distribution, duplication or retention of this message and its 
attachments is prohibited. Please notify the sender of this error 
immediately by reply e-mail, and permanently delete this message and its 
attachments in any form in which they may have been preserved.

Re: LDAP+database - Credential duplication?

[Nick Couchman]

On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer <
f.wolfhei...@googlemail.com> wrote:

> I'm trying to set up guacamole with LDAP authentication and would like to
> use postgresql as storage for the connection parameters. Looking at the
> provided database schema files for postgresql (001-create-schema.sql), the
> user information entered into the database requires a password. I'm
> wondering whether this means that the LDAP user credentials need to be
> duplicated and entered into the database? The guacamole manual however
> suggests that once a user is successfully authenticated using the
> credentials stored in LDAP, the guacamole database will trust this user and
> will use the information present in the database for this user (
> https://guacamole.apache.org/doc/gug/ldap-auth.html):
>

Yes, this is correct.

> "Data can be manually associated with LDAP users by creating corresponding
> user accounts within the database which each have the same usernames as
> valid LDAP users. As long as the username is identical, a successful login
> attempt against LDAP will be trusted by the database authentication, and
> that user's associated data will be visible."
>
> Actually, I'd like to prevent storing password information in the database
> and only use the LDAP passwords for authentication. Is this supposed to
> work? May I just adjust the database schema and leave the password field
> empty?
>
The password for the user from LDAP is not copied to or stored in the
database.  The database does require a user password to be set; however, if
you leave this blank when creating users in the admin interface one will be
randomly generated.  Similarly, if you are importing users directly into
the database you could generate random values for this field and the LDAP
authentication will still work, and it will *not* update/store the LDAP
password in the DB.


> BTW: Thanks for providing this great product. I've used it to host
> workshops for up to 50 people, providing each of them access to a graphical
> desktop. It's working great. :-)
>
>
Glad you like it and it is working out for you - I always love hearing
real-life success stories!

-Nick

LDAP+database - Credential duplication?

[Felix Wolfheimer]

I'm trying to set up guacamole with LDAP authentication and would like to
use postgresql as storage for the connection parameters. Looking at the
provided database schema files for postgresql (001-create-schema.sql), the
user information entered into the database requires a password. I'm
wondering whether this means that the LDAP user credentials need to be
duplicated and entered into the database? The guacamole manual however
suggests that once a user is successfully authenticated using the
credentials stored in LDAP, the guacamole database will trust this user and
will use the information present in the database for this user (
https://guacamole.apache.org/doc/gug/ldap-auth.html):

"Data can be manually associated with LDAP users by creating corresponding
user accounts within the database which each have the same usernames as
valid LDAP users. As long as the username is identical, a successful login
attempt against LDAP will be trusted by the database authentication, and
that user's associated data will be visible."

Actually, I'd like to prevent storing password information in the database
and only use the LDAP passwords for authentication. Is this supposed to
work? May I just adjust the database schema and leave the password field
empty?

BTW: Thanks for providing this great product. I've used it to host
workshops for up to 50 people, providing each of them access to a graphical
desktop. It's working great. :-)