For ‘strategic business reasons’, I am trying to keep connections in MariaDB and authentication from AD. The current product, doesn’t require altering AD. Not my call.
The plan is/was to have multiple installations of Guacamole allowing access through control-points into differing secured zones of our network. One installation would point at AD-group-ZONE1 for authentication, in Guac the admin would assign connections into ‘ZONE1’ to everyone in AD-group-ZONE1. Rinse and repeat for ZONE2,3,4, etc. With the intention that ~600 users would be using it for access into these zones. My *NIX sysadmin team has been happily using it for some time now. Because the team (~20) nor the connections changes frequently; and when they do, it is trivial for them to management it internal to the team. For the mass population, the changes are just to frequent to manage in this fashion. I have tried numerous iterations of configuring this and wind up either with ALL users being displayed in the “Users” tab and having to manually assign each user connections, or only the AD-group being shown in the “Users” tab but the users (in that group) being unable to even login to Guac. I am going to look into the cross-platform scripting to strip the users from the AD-group and assign them connections in MariaDB. It spreads the solution’s footprint out a bit, but I will see where it goes. From: Mike Jumper <mike.jum...@guac-dev.org> Reply-To: "user@guacamole.incubator.apache.org" <user@guacamole.incubator.apache.org> Date: Tuesday, June 20, 2017 at 14:31 To: "user@guacamole.incubator.apache.org" <user@guacamole.incubator.apache.org> Subject: Re: groups for user . On Jun 20, 2017 11:25 AM, "Alder, Steve" <steve_al...@csx.com<mailto:steve_al...@csx.com>> wrote: Thank you so much for the information, and responding. I am currently in an environment with multiple thousands of user accounts, and am just POC’ing Guacamole as a replacement for an existing commercial product. I think the inability to assign connections (natively) via group membership might be show-stopper for us at this point. What about leveraging LDAP or AD? Though guac's database backend doesn't implement user groups, the LDAP backend inherently does. Connections themselves are defined using a group-type object. - Mike This email transmission and any accompanying attachments may contain CSX privileged and confidential information intended only for the use of the intended addressee. Any dissemination, distribution, copying or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it and notify sender at the above CSX email address. Sender and CSX accept no liability for any damage caused directly or indirectly by receipt of this email.
