[jira] [Commented] (GUACAMOLE-768) SQL backed group doesn't work with LDAP auth

Fri, 29 Mar 2019 10:17:15 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805219#comment-16805219
 ] 

Michael Jumper commented on GUACAMOLE-768:
------------------------------------------

{quote}
If a user is created a SQL user (mysql in my case) then that user inherits 
group connections.  If a user exists in LDAP in doesn't inherit group 
connections, but it does inherit administrative permissions.
{quote}

This is the intended behavior. The groups which apply to a particular user are 
dictated by the extension that authenticates that user. If you want an LDAP 
user to have the permissions granted to a group, they will need to be a member 
of that group according to LDAP. There is an issue open for adding the 
cross-extension inheritance that you're describing, though: GUACAMOLE-696

If the user exists only in LDAP, there is an outstanding issue which prevents 
that user from inheriting group permissions from the database despite the group 
existing in both LDAP and the database: GUACAMOLE-715

> SQL backed group doesn't work with LDAP auth
> --------------------------------------------
>
>                 Key: GUACAMOLE-768
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-768
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.0.0
>            Reporter: Charlie Stamp
>            Priority: Minor
>
> If a user is created a SQL user (mysql in my case) then that user inherits 
> group connections.  If a user exists in LDAP in doesn't inherit group 
> connections, but it does inherit administrative permissions.  If there was a 
> way to make a connection read-only that'd be great.  The issue regarding 
> using database groups mentioned using proper ACL style permissions and was 
> incorrectly mark as resolved (or that line was mistakenly left in since that 
> was ignored).
>  
> Inheriting administrative permissions does give access to all connections to 
> LDAP users.  It is a terrible work around only because I don't anyone editing 
> connections except for IT staff.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to