On Fri, Jun 14, 2019, 07:06 Zer0Cool <[email protected]> wrote: > Pardon my ignorance, but let me make sure I follow. > > So you are saying that the ldap filter (and thus results) are likely > up-to-date but that the database side of the account does not get > deleted/removed from the database when there is no longer a matching LDAP > account to go with it? >
Nor would a database account be automatically created for LDAP. The two are independent. Guacamole unifies things for accounts having the same username, and that common username is the sole association between them. So I would assume that while the account still exists in the database, > authentication of the account would fail as the underlying AD/LDAP account > is no longer active/pulled in by the filter? > If you set a password for the database account, authentication using the database-specific password will succeed. > I presume that means it would be a manual task to go in and delete disbaled > AD accounts from the database within Guacamole? > Yes. > For what its worth, this makes sense to me as you wouldn't want the > database > to delete users/settings in the event it cannot connect to AD temporarily > for example. > Indeed. Also, the two systems really are not interconnected in that way. Except for having the same username, there is no direct association between accounts in the database and within LDAP. Both the database and LDAP expose separate and independent sets of data, while the web interface unifies that data for presentation to user. With the exception of one (the database) trusting the authentication result of the other (LDAP), the two function completely independently. - Mike
