On Mon, Nov 20, 2023 at 6:48 AM Remush <m.remmar...@gmail.com> wrote:
> So If I use the LDAP and want to be able to control connections *in* the > Guacamole Web > > I need to set a db? > Yes. > And how can I give admin over the guacamole to certain users? > Guacamole matches usernames between the extensions. So, if you have a user in LDAP called, for example, guacamole_user, and you create a user in the database with the matching username, you can assign privileges to the user from within the Guacamole UI, including admin access, the ability to use connections, etc., and then authenticate with the user's LDAP credentials. There's even a way to have users that successfully authenticate from non-JDBC modules automatically created within the database. This is covered in more depth in the user guide: https://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database https://guacamole.apache.org/doc/gug/ldap-auth.html#associating-ldap-with-a-database https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users It is worth noting that the comparison of usernames is currently case-sensitive - so, if you have a user, "guacamole_user", in LDAP and the JDBC module, but the user logs in with "Guacamole_User" (which will likely succeed, because LDAP is case-insensitive), it will be seen as a different user to Guacamole. There's some ongoing work to allow this behavior to be configured. > I want the LDAP only in order to access the guacamole and being the user > that connects in the connections. > > But I want a certain LDAP group to be able to create those connections in > the Guacamole > Yes, all of this is completely possible, and is a relatively standard way to use Guacamole. It means installing both the JDBC and LDAP modules, and then creating users and/or groups within the JDBC module that match the LDAP users and/or groups you're using to log in - again, most of this is covered in the user guide, as linked above. -Nick >
