guacamole-client icon indicating copy to clipboard operation
guacamole-client copied to clipboard

Published 20 hours ago verified publisher icon apache

Added support for specifying LDAP UPN in properties file

Open agreenbhm opened this issue 3 years ago • 3 comments

Added support for specifying LDAP UPN in properties file. Allows for any user in LDAP (with the corresponding UPN) to authenticate. Removes requirement of users being within same OU for large LDAP deployments.

agreenbhm avatar Jan 13 '22 17:01 agreenbhm

@agreenbhm : A couple of notes:

  1. You need to have a Jira issue opened for a pull request, and the PR and commits need to be tagged with the Jira issue.
  2. There's already a Jira issue for this: https://issues.apache.org/jira/browse/GUACAMOLE-536
  3. There's already work being done on this front: #507

necouchman avatar Jan 13 '22 17:01 necouchman

@agreenbhm : A couple of notes:

  1. You need to have a Jira issue opened for a pull request, and the PR and commits need to be tagged with the Jira issue.
  2. There's already a Jira issue for this: https://issues.apache.org/jira/browse/GUACAMOLE-536
  3. There's already work being done on this front: GUACAMOLE-536: Implement additional bind types for LDAP #507

Thanks for the info. Looks like that PR is nearly 2 years old. @necouchman: Given that you are the author of that PR, is there anything more that is needed to be done to get that merged? It looks like the changes I made are pretty similar to the ones you did so I'm not sure why your PR wouldn't be merged yet since it seems functional.

agreenbhm avatar Jan 13 '22 18:01 agreenbhm

I'm not sure whether these changes (in spirit) nor GUACAMOLE-536 are actually necessary:

  • The LDAP support does allow for lookup of users based on their UPN. This would involve using userPrincipalName for the username attribute.
  • Multiple LDAP servers are supported via the recently-introduced multi-server LDAP support. Users can be mapped to their relevant LDAP server based on username patterns, and then the search account can narrow that to a specific user once the relevant server is determined.

I know that Active Directory allows for binding with UPNs, and so adding a feature that would tell Guacamole to accept usernames matching that pattern and attempt to bind with those usernames directly would make configuration easier, but I'm not sure that's what these changes or GUACAMOLE-536 are intended to be.

EDIT: Sorry - that should be GUACAMOLE-536*. Copy-pasta of other things I also happen to have open.

mike-jumper avatar Jan 21 '22 23:01 mike-jumper