On Fri, Oct 7, 2022 at 7:48 AM Druve, Matthias <[email protected]> wrote: > > Hey, > > thanks for your quick and extended response! > > Alright, so the decision was made because of the optional part which allows > you to store the connections in LDAP. > Okay, that I understand. > I maybe would have divided the authentication/pulling information part based > of the used or unused optional setting but I understand where it is coming > from. > (or even use another flag for true/false for bind user only or something like > it)
As I said, it was very intentionally designed this way. I think there has been some noise on the list, and maybe even an item in Jira, lately, to add an option for forcing everything to happen as the bind DN, but no work has been done on that. > > I'm also glade to hear that it is possible to modify the extension to > "always" (except the authentication) use the bind user for pulling data. > (that's what I thought, but like I said, Java is not my specialty) > > "while modifying the extension to use the bind DN shouldn't > be too difficult, modifying it to continue group search even when > authentication fails would probably take some work." > > ^^ > The last part isn't important to me and needed, I already logged in with my > LDAP user account, > which has not the permissions to read groups and made myself admin with the > help of the guacadmin account, > so the LDAP extension is already in use. Okay, so your goal is that, when a user successfully logs in with LDAP credentials, group membership for that user should be retrieved, but should be retrieved under the bind DN instead of the user who is logging in. > > So, maybe you can point me in the direction where I would have to modify the > extension? There are a few things you'd have to change... * The main code for retrieving goups for a particular user is located here: https://github.com/apache/guacamole-client/blob/0af17df712d1f2128b8fbc4df543e423939ef905/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java#L100-L163 * In particular, the call to queryService.search() is where the configuration is pulled together for the LDAP connection and the group search base: https://github.com/apache/guacamole-client/blob/0af17df712d1f2128b8fbc4df543e423939ef905/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/group/UserGroupService.java#L132-L140 * However, you'd also probably need to implement a different version of config.getLDAPConnection() that gets a connection strictly using bindDN and password rather than the user who is logging in. That's a quick guess on my part without digging through the code, but looking at the search() method(s) in ObjectQueryService, it's what makes sense to me. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
