Hi James,
I also manage my users in LDAP, mainly so that I can enforce multi-factor authentication. It seems that to assign connections to users I have to explicitly also add them to MySQL too - they don't just 'appear' in the list. I add the user of the same name with a blank password and then assign connections (I check that I can't login as that user with a blank password and I can't). It's true that if I created a user in MySQL that wasn't also in LDAP then they'd be able to login. However, as admin I simply choose not to do that and I think you could set up other sub-admin accounts that don't have the 'create user' permission to prevent others from doing so while still allowing them to create connections for example. The docker image works well but does have limitations on passing configuration in. Ideally a mechanism would exist where you could pass any property through docker, or maybe store your .properties file on a mapped docker volume, but I don't think it does at the moment. Others may know more than me on here though. Cheers Andy ________________________________ From: James Wilson [[email protected]] Sent: 20 July 2017 10:49 To: [email protected] Subject: LDAP and MySQL Hi, I currently use the Guacamole Docker container and have recently setup an LDAP server for authentication on my network which is being used by multiple services and would also like to use the MySQL integration as well as it makes the managing of users much nicer from the administration end. However I require authentication to only be granted when a user is in the LDAP server. If a user exists within the MySQL authentication but not in LDAP I do not want the user to be authenticated. Currently it appears that the user can authenticate through either method and that doesn't achieve what I am looking for with regards to the LDAP server having the final say. Some reading through the documentation indicated that by using a parameter "mysql-user-required: true" within the guacamole.properties file, it forced users to exist in both the MySQL and LDAP repositories. However this does not appear to work for the docker version of Guacamole as there is no mechanism currently of taking that parameter in and placing it within the guacamole.properties file as there is for the LDAP and MySQL parameters. Has anyone else run into this issue ? Are there plans to add mysql-user-required as a parameter for the docker container ? Any advice would be appreciated. James Click here<https://www.mailcontrol.com/sr/19!t2WSmVyDGX2PQPOmvUqrlA1!9RTN29X2thWukPI1zpsgK80qrYpayu5pXUPZSTbL98DokuU73vm7b4Ic+!w==> to report this email as spam.
