On Wed, May 1, 2019 at 12:06 PM nicoschottelius < [email protected]> wrote:
> ... > The way how things are configured in this particular network is that there > is one "reading" binding user that can search the tree and find objects. > > User can only bind, but cannot search anything. > Assuming your users don't need access to those objects, that should still be OK. Users should still be able to log in to Guacamole using their credentials. They will simply not be able to access anything they don't have permission to access. > > Is there any way to alter the behaviour in guacamole to switch it around? > I.e. by adding a flag like ldap-search-with-search-bind-dn: true ? > If your LDAP directory is explicitly configured to deny those users access to those objects, then effectively bypassing the access controls of LDAP is not a good path forward. If your users authenticating via LDAP *do* need access to those objects within LDAP, then you should grant those users access to those objects, perhaps by creating a group with the necessary access. > > As this project is a also a bit time critical, I'd be happy for any > feedback > in the direction of "sounds doable" or "absolutely impossible". > Neither. It's not a matter of whether it's possible. My feedback in this case would be: "sounds like it shouldn't be done". Is there a reason why making code changes to software to add a new configuration option to work around enforcement of intended access restrictions is a more inviting solution than simply granting access to the users in question? - Mike
