Re[2]: How many users can use Guacamole simultaneously?

Tue, 03 Mar 2020 08:50:24 -0800 

Hi Adrian et. al ...
Thank you, as sort of expected the bottlenecks are hardware specs, and user use type. 


Does Apache Guacamole have the capability to throttle users to allow for 
more connections?


Best Regards,
Stewart

------ Original Message ------
From: "Adrian Owen" <[email protected]>

To: "[email protected]" <[email protected]>; "Stewart 
Alexander" <[email protected]>

Sent: 3/3/2020 11:36:27 AM
Subject: RE: How many users can use Guacamole simultaneously?


CAUTION: This email originated from outside your organization. Exercise 
caution when opening attachments or clicking links, especially from 
unknown senders.




https://sourceforge.net/p/guacamole/discussion/1110834/thread/666f7a9f/



From: Stewart Alexander [mailto:[email protected]]
Sent: 03 March 2020 12:47
To:[email protected]
Subject: How many users can use Guacamole simultaneously?



Hi all,




Does anyone know how many users can login through Guacamole 
simultaneously?




What are the bottlenecks?



Thank you,

Stewart Alexander





------ Original Message ------

From: "Fabio Corsi" <[email protected]>

To: [email protected] <mailto:[email protected]>

Sent: 3/2/2020 5:01:07 PM

Subject: Re: ldap-user-search-filter problem




CAUTION: This email originated from outside your organization. 
Exercise caution when opening attachments or clicking links, 
especially from unknown senders.


Hi,



I was wondering if anyone could provide some insight on this issue.



To recap my previous message I have a ldap-user-search-filter set to


        
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))



however any valid LDAP user is allowed to login on the Guacamole web 
page.



My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP 
(libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.





since my first message I’ve done some additional investigation into 
the problem.



By looking at the logs on my LDAP server I can see that the filters 
are passed on to the LDAP server and they do return the correct number 
of entries.




There are a couple of things that seem strange to me:


Not sure why the "(|(uid=*)) clause is added to the main group filter 
defined in my configurationFor the user in the guacusers group the 
SeeAlso seems to expand to all the object of class groupOfNames in my 
directory



Here are the log entries for the user that is in the guacusers group:


slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422 
(IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND 
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND 
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0

slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=

slapd[904]: conn=9470 op=1 SRCH base="ou=groups,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0 nentries=5 
text=

slapd[904]: conn=9470 fd=48 closed (connection lost)

slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424 
(IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND 
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND 
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE ssf=0

slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=

slapd[904]: conn=9471 op=1 SRCH base="ou=users,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0 nentries=6 
text=
slapd[904]: conn=9471 op=2 SRCH base="ou=groups,dc=my,dc=domain" 
scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0 nentries=46 
text=
slapd[904]: conn=9471 op=3 SRCH base="ou=groups,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0 nentries=5 
text=
slapd[904]: conn=9471 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0 nentries=1 
text=





And for the user that is not in the guacusers group:


slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430 
(IP=0.0.0.0:389)



slapd[904]: conn=9478 op=0 BIND 
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128



slapd[904]: conn=9478 op=0 BIND 
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE 
ssf=0


slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=


slapd[904]: conn=9478 op=1 SRCH base="ou=groups,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"



slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0 nentries=0 
text=


slapd[904]: conn=9478 fd=88 closed (connection lost)


slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432 
(IP=0.0.0.0:389)



slapd[904]: conn=9479 op=0 BIND 
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128



slapd[904]: conn=9479 op=0 BIND 
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" mech=SIMPLE 
ssf=0


slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=


slapd[904]: conn=9479 op=1 SRCH base="ou=users,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"



slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0 nentries=6 
text=



slapd[904]: conn=9479 op=2 SRCH base="ou=groups,dc=my,dc=domain" 
scope=2 deref=0 filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"



slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0 nentries=46 
text=



slapd[904]: conn=9479 op=3 SRCH base="ou=groups,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"



slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0 nentries=0 
text=



slapd[904]: conn=9479 op=4 SRCH base="ou=guac_config,dc=my,dc=domain" 
scope=2 deref=0 
filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"



slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0 nentries=0 
text=





And this is my full configuration file:


# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

#skip-if-unavailable: mysql, ldap
api-session-timeout: 15

# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid

ldap-user-search-filter: 
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))

ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: MySecret




Thanks,

Fabio





On Feb 25, 2020, at 10:46, Fabio Corsi 
<[email protected]> wrote:





We're using openLDAP (libldap-2.4-2:amd64) on a separate Ubuntu 18.04 
installation.




Many thanks,

Fabio





On Feb 24, 2020, at 22:57, Mike Jumper <[email protected]> wrote:




On Mon, Feb 24, 2020, 19:52 Fabio Corsi 
<[email protected]> wrote:



Hi,



I’ve a fresh install of Guacamole 1.1.0 on Ubuntu 18.0.4 Server.




I have the LDAP extension installed (along with the MySQL one) and 
I’ve defined connections directly into LDAP.



Everything works just fine, users are authenticated and are allowed 
the proper connections, however I would like to allow only users 
MemberOf a one LDAP group (e.g. guacusers) to login to my Guacamole 
site.



I’m using ldap-user-search-filter, but it does not seem to work. As 
of now any active users in my LDAP directory can login into the 
Guacamole site.



No connections are displayed for the users that I would like to 
disallow, but nevertheless they can still login...





This is the LDAP configuration in my guacamole.properties 
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>





# LDAP properties

ldap-hostname: configserver.my.domain

ldap-port: 389

ldap-user-base-dn: ou=users,dc=my,dc=domain

ldap-username-attribute: uid


ldap-user-search-filter: 
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))


ldap-config-base-dn: ou=guac_config,dc=my,dc=domain

ldap-group-base-dn: ou=groups,dc=my,dc=domain





And I have previously used this same configuration some time back 
when I was testing version 0.9.14 and it seemed to be working...






Note that if I run the same filter on my LDAP server, e.g.:


ldapsearch -x -LLL -H ldap:/// -b "ou=users,dc=my,dc=domain" -s 
sub "(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”



I get the expected result….



I’ve also tried adding other specifiers to the filter, like


(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)





they all work when I query the LDAP server with ldapsearch, but 
don’t seem to have any effect when I use them in Guacamole.





What LDAP server is being used?



- Mike




























					Reply via email to