On Wed, Apr 4, 2018 at 5:13 PM, Joseph L. Casale <[email protected]> wrote:
> I do not have a flat hierarchy where users will be located and > as a result I would need a bind account which I cannot use as > a result of the unsecure password. > > Okay, I'm missing what "flat hierarchy" has to do with anything, here? Either way, you still need a user account capable of searching for the users (or a LDAP directory that allows anonymous bind/searches, which is obviously not ideal), no matter where the users in your tree are located - flat or structured - so I'm failing to see how this is relevant. I think I understand that you do not want to store the password in the guacamole.properties file plain-text, though I'd say the risk is reasonably low if you create a user account specifically for searching for users who will log into Guacamole, and grant that account only the access needed to the LDAP tree to find those users and view the attributes that Guacamole will use (it does not need to be able to read the user's password, if that's what you're concerned about). Is it a risk to have the password for such an account in a plain text file? Sure. Is it a big risk? No. The account does not have to be an administrative or root account, just needs the correct permissions. > Some directories facilitate binds against a consistent format > string such as <login ID>@domain.com or DOMAIN\<login ID> > after which point the dn and attribute / group data can be > fetched. > When you say "some directories" you really mean Active Directory, right? To my knowledge it's the only "LDAP" directory that behaves this way, although maybe ApacheDS or FreeIPA do, too, as they have some Kerberos integration of their own, but you probably mean AD? > > It appears as if the ldap-username-attribute imposes an > unnatural restriction by defining the bind DN in code and > not simply exposing the desired format string? > Hmmm...so you're calling an LDAP DN an "unnatural restriction" when, in fact, it is conforming to the LDAP standard :-), and it's Microsoft's implementation of LDAP, in the form of Active Directory, that actually violates the standard by allowing bind username in other formats. I'll admit that Microsoft's way of doing it can be convenient, but the Guacamole code conforms to LDAP standards in order to inter-operate with multiple LDAP directories and minimize the amount of extra code required to do so. But, all of that aside, what is the relevance of the username format required by Guacamole to how the password is stored in the guacamole.properties file? If we were to allow <login id>@domain.com or domain\<login id>, you'd still have to store the password in the guacamole.properties file in plaintext, no? How does allowing those and not requiring the DN syntax impact security or storage of passwords? I must be missing some detail about your environment or what you're trying to accomplish, here - can you fill in the gaps in my understanding? -Nick
