Hey, I'm new to the guacamole experience, but the configuration of the LDAP extension (+postgresdb) raised a question or two.
It took me a good amount of time to figure out, why I can't see any groups while administer the frontend, before I found a half-sentence somewhere which mentions that not the LDAP bind user in the guacamole.properties configured, will be used, but the actual guacamole logged-in user (which has not the needed LDAP permissions). I can't figure it out by myself, why the bind user isn't used for polling groups and users. In my eyes a user connection to the LDAP is only needed to verify the account credentials (password, account disabled, etc.) while logging in. The guacadmin (local postgresql admin account) has to configure which LDAP user will be able to administer the frontend. So not every LDAP user would be able to see and configure every other polled LDAP user and group from the bind user. In my opinion at the moment I have to give atleast two LDAP accounts extended permissions, to be able to login (first account - bind user) and to administer guacamole (second - the logged-in user). There isn't even a backup admin included. So, perhaps even more accounts. Background: Here at the university we have an LDAP/AD for the whole campus and a lot of self-managed faculties, institutes and chairs which will get only a service account with special permissions for the LDAP. This account can be used for a lot of services as bind user. The service can be run by an admin who don't have administrator rights on the LDAP, but can be an admin for instance like guacamole in his/her institute (like me, now). Question: So, my two questions are. 1. Why isn't the bind user used for all the polling when the administration/administrator for guacamole can be done with another database (postgresql) and rights management (in guacamole itself)? 2. I'm not good with java programming and tried to dig into the source code already. Is it easily possible to change the behavior of the extension from user polling to bind polling? Or is my evaluation wrong? Is it something I'm doing wrong? Maybe someone can give me an insight! BIG thanks for the patience of reading and the replies Matthias Druve PS: is this the right place to ask these questions? : ) --- Matthias Druve Systemadministrator Institut für Geodäsie und Geoinformationstechnik (Fak.VI) Technische Universität Berlin KAI 2-2 - Hr. Druve Kaiserin-Augusta-Allee 104-106 10553 Berlin Telefon: (030) 314 - 23204 Telefax: (030) 314 - 12323204 E-Mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
