On Tue, Sep 29, 2020 at 5:47 AM larssonsamuel <[email protected]> wrote:
> Hi, > > My setup looks like this: > > Users exist in AD, towards which they authenticate when logging in to > Guacamole. The group management however is handled in MySQL since we > couldn't change the schema to provide group management in our AD. > > When I look in the database, it looks like users are getting created in the > database on first authentication (which they do towards AD), and the > password hash column is populated. Does this mean that the hashes that I > see > in the database are fetched from AD during the authentication? I can't seem > to find anything in the docs about this. > > No, when the user auto-creation is enabled, the password for the database user is auto-generated to a random and undisclosed value. This is similar to what happens if you create a database user and do not specify a password - Guacamole does not simply leave the password blank for that user, but generates a new, random password. > The problem that I now have encountered is that I want to add users to > group > via script, i.e. SQL queries, so that they are already added before they do > their first authentication. But how can I get all the info from AD to > successfully populate all required fields for a new user in the database? > > You'll need to make sure that your script queries the desired attribute fields in AD/LDAP and then populates them in the database. There's not really anything special about this - you just have to use whatever tool you're using to query AD for the user accounts to grab other attributes and insert those into the database. You can do this for whatever field you want (and that are present within both AD and the database). however, I would *not* attempt to copy the password value from AD to the database - copying that value wouldn't work, anyway, as hashing between AD and Guacamole are different, but, even if it did, you would either have to synchronize them or you'd end up with previous user passwords stored in the Guacamole database, which is both a security concern and will just cause confusion for your users. -Nick
