On Sat, Apr 24, 2021 at 2:07 AM Jelle de Jong <[email protected]> wrote:
> ... > Thank you Mike, would you be willing to take a look at the LDAP code and > share back how much work it might be? > It's non-trivial, but it will be worked on when time permits. Here is the relevant JIRA issue: https://issues.apache.org/jira/browse/GUACAMOLE-1212 In the /etc/guacamole/guacamole.properties configuration I provide the > ldap-search-bind-dn and ldap-search-bind-password. My experience is that > these credentials are often used to bind to LDAP and do the lookups > needed, this way the user password is only used one time to validate. > It's not just for validation: the user's own credentials are used to retrieve any LDAP data that will be exposed to the user, including their group memberships. If LDAP credentials were only validated, with the search user used to retrieve all data after validation, that would result in the user being able to see more data than their LDAP account is authorized to see (privilege escalation). I have not been able to have Guacamole provide me with a prompt when > leaving the username and password empty in the connection settings, I > can not figure out what I am doing wrong. I can not find documentation > on how to use this prompting feature. From what you tell me, leaving it > empty should be enough? I would like to be able to provide the username > as ${GUAC_USERNAME} and have the password promoted for in the Guacamole > Web UI. (So the user can fill in the password+otp in the password field > and connect). Yes, you can do exactly this and it should have the effect described. If you specify a username, including via the ${GUAC_USERNAME} token, the user will only be prompted for a password. This still requires that the RDP server use NLA for authentication. If the RDP server is configured to not use NLA, then you will see the RDP server's graphical prompt. - Mike
