Hi Mike,
I have this format in azure: first_last@domain
My LDAP and all internal server usernames are just first_last.
SAML login works, but creates the user with the full username. I have to add
the attribute in Azure to expose the on prem samaccount attribute.
I changed the Azure UUI to the on prem variable and I think that worked. For
some reason (though I have my groups by OID, the user isn't getting the
connections assigned to the groups.
As far as LDAP, since these "layer" I was actually trying to make the username
from Azure match what's in LDAP so the group membership would work correctly
(as it does with ldap only).
The SAML group list IS going through to Guacamole, it's just not seeming to
want to map it to the users.
I do have a volume mount on my host as such under guacd:
volumes:
- '${BASEDIR}/guac/drive:/var/lib/guacamole/drive:rw'
- '${BASEDIR}/guac/recordings:/var/lib/guacamole/recordings:rw'
The extension should be seeing it correctly, but I get an error that it can't:
guacd[8]: ERROR: Creation of recording failed: Permission denied
guacd[8]: ERROR: Creation of typescript failed: Permission denied
the Recording path of the connection is: ${HISTORY_PATH}/${HISTORY_UUID}
Filename is: ${GUAC_DATE}__${GUAC_TIME}__TypeScript__AdmissionsForms
At some point I did have it working, but it wouldn't play back in the logs, so
I'm sure it's a permission issue, but don't know how to fix being that the
guacd account isn't on my host, just the container.
I've clean installed, and still get this error and the group issue.
________________________________
From: Michael Jumper <[email protected]>
Sent: Friday, March 24, 2023 4:22 PM
To: [email protected] <[email protected]>
Subject: Re: Recordings issue on 1.5.0 and SAML Question
On Fri, Mar 24, 2023 at 3:02 PM Michael Hess <[email protected]>
wrote:
First, can I pass a saml attribute like we can with ldap_{attribute} in some
way? I need to pass the Azure onpremisessamaccountname attribute as the
username, so LDAP groups work with SAML accounts vs having the full email as
the username. I do see it in the SAML token coming back when authenticating.
You should be able to configure Azure to provide the username in a different
format. In SAML, the username is referred to as the "NameID", and might be in
Azure's configuration as such.
Can you clarify how the availability of a SAML attribute ties together with
LDAP group membership in your case?
When using SAML, group membership would be asserted by the SAML IdP. This is
dictated by an attribute that includes a list of the group names that apply to
a user, not by the user's username. It is true that a user's username will be
matched up with corresponding user accounts and groups within Guacamole's
database, but this has no impact on Guacamole's integration with LDAP which
would affect only users that log in directly with Guacamole using LDAP
credentials.
Second, I don't know what I messed up, running in docker, but now the guacamole
container won't start, I just get this over and over. I've disabled the
extension for recordings, as well as removed the containers and image and
rebuilt:
cp: cannot access '/etc/guacamole/./recordings': Permission denied
guacamole exited with code 1
Do you have a volume mount pointing at that path?
- Mike
