On 4/3/2020 1:33 PM, Jason Keltz wrote:
2) My Samba AD users are importing into Guacamole, but not
the Samba AD
groups. Can I add the groups as well?
Well, Guacamole doesn't really "import" anything from LDAP - it
will display the information from LDAP that the user who logs in
has access to, and you can relatively easily create users in
JDBC from users in LDAP provided you have admin access on the
JDBC side. However, it does "map" both users and groups between
the various authentication modules, so if you have a user in
LDAP named the same as a user in JDBC, you can assign
permissions in JDBC and those will apply to the LDAP login. The
same is true of groups - if you create a group in the JDBC
module and assign it permissions, a matching group in LDAP will
get those permissions. Hopefully this makes sense.
Sorry for using the wrong terminology. I didn't really mean
"import". That being said, I created a group in Samba AD called
"Users". I added a single user to that group. I logged into
Guacamole as admin, created a group with that name, and selected
a few connection that this group could access. I then logged out
as admin and in as the user and the user had no access to any
connections. Note that I didn't add the group to the user in
Guacamole. The assumption is that if the user exists in LDAP,
and the user is a member of a group in LDAP, then that
information will be read.
Depending on what version you're running there may be some slight
nuances in how this works. The groups were first introduced in 1.0.0
and there were some behaviors that were non-intuitive, so version
1.1.0 got some updates to how that works. We might need to dig into
that a bit more - I'll try to give it a try in my environment and
make sure it works, but one of the key things I would make sure is
that you've enabled group searching (by specifying the group search
base in guacamole.properties), as groups won't be looked up in LDAP
by default.
I'm running 1.1.0. I did have to enable additional options in
guacamole.properties. I added:
ldap-group-base-dn: CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca
ldap-group-name-attribute: memberOf
Now, I see the groups listed in AD, though not just the names, but the
full names like this: CN=Users,CN=Builtin,DC=ad,DC=eecs,DC=yorku,DC=ca
I was able to edit the above group, and add a connection. I then
logged out and back in as the user who is in that group, but they
didn't get the resulting connection access. I may have something
wrong in the configuration.
I think I've discovered what I need to access the Samba AD groups
properly in Guacamole experimenting with ldapsearch from the command line...
ldap-group-base-dn: CN=Users,DC=ad,DC=eecs,DC=yorku,DC=ca
ldap-group-name-attribute: cn
ldap-group-search-filter: objectClass=group
That being said, there is no ldap-group-search-filter in the documentation.
When I configure Guacamole with the absence of the
ldap-group-search-filter, the group list includes all the users. That's
fine because it now also includes all the groups! I chose the group
"Domain Users", then added a connection to "Domain Users", logged out
and back in a user who is in "Domain Users", and they still don't get
the access. Either I'm still missing something, or Guacamole groups are
not working right for me.
Nick: Any check of adding ldap-group-search-filter? and anything I can
do to help debug this?
It looks like I'm going to have to code up adding all the users to a
manually created group otherwise.
Jason.
