Sorry to piggyback on this topic but I have a related question. Is it possible to configure connections to use the LDAP password without entering it in the database? I'm authenticating against Active Directory for Guacamole user passwords but I can't work out how to pass that same password through to connections configured in the Postgres database.
On Thu, 10 May 2018, 23:00 Nick Couchman, <vn...@apache.org> wrote: > On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer < > f.wolfhei...@googlemail.com> wrote: > >> I'm trying to set up guacamole with LDAP authentication and would like to >> use postgresql as storage for the connection parameters. Looking at the >> provided database schema files for postgresql (001-create-schema.sql), the >> user information entered into the database requires a password. I'm >> wondering whether this means that the LDAP user credentials need to be >> duplicated and entered into the database? The guacamole manual however >> suggests that once a user is successfully authenticated using the >> credentials stored in LDAP, the guacamole database will trust this user and >> will use the information present in the database for this user ( >> https://guacamole.apache.org/doc/gug/ldap-auth.html): >> > > Yes, this is correct. > >> "Data can be manually associated with LDAP users by creating >> corresponding user accounts within the database which each have the same >> usernames as valid LDAP users. As long as the username is identical, a >> successful login attempt against LDAP will be trusted by the database >> authentication, and that user's associated data will be visible." >> >> Actually, I'd like to prevent storing password information in the >> database and only use the LDAP passwords for authentication. Is this >> supposed to work? May I just adjust the database schema and leave the >> password field empty? >> > The password for the user from LDAP is not copied to or stored in the > database. The database does require a user password to be set; however, if > you leave this blank when creating users in the admin interface one will be > randomly generated. Similarly, if you are importing users directly into > the database you could generate random values for this field and the LDAP > authentication will still work, and it will *not* update/store the LDAP > password in the DB. > > >> BTW: Thanks for providing this great product. I've used it to host >> workshops for up to 50 people, providing each of them access to a graphical >> desktop. It's working great. :-) >> >> > Glad you like it and it is working out for you - I always love hearing > real-life success stories! > > -Nick >
