Re: LDAP+database - Credential duplication?
Hi Jonathan, thanks a lot for your offering! If you like to share the script you use to create the database entries, this would be useful for me. For the workshop use-case I indeed create all the accounts in LDAP with random passwords using a script, the SQL part of this is still missing though and I started with creating a user-mapping.xml for Guacamole instead. But in order to be more flexible, when it comes to the creation of additional users/sessions, the database approach seems more convenient. Thanks a lot and best regards Felix Am Donnerstag, den 10.05.2018, 22:19 + schrieb Jonathan Hankins: > Felix, > > There are some examples of generating the salt and hashing the > password correctly for postgres and mysql in the online docs, for > various programming languages. My use case is similar to yours > (postgres+LDAP.) I needed to create users via script with random > passwords in postgres, and I did it in shell script (bash) using the > openssl(1) to generate the random data, salts and do the hashes, some > bash as glue and psql to load the data in the database. It took me > some trial and error to translate what was in the docs online to work > in bash, and I'd be happy to share my script if it'd be useful to > you. > > -Jonathan Hankins > signature.asc Description: This is a digitally signed message part
Re: LDAP+database - Credential duplication?
On Fri, May 11, 2018 at 3:26 PM, Chris Duncanwrote: > Thanks for the pointer, however, could you clarify where I make use of > these parameter tokens? When I configure a connection do I put the token > variables in the username and password fields? > Yes, exactly - so, in the username field you would put ${GUAC_USERNAME} and in the password field ${GUAC_PASSWORD}. -Nick
Re: LDAP+database - Credential duplication?
On Thu, May 10, 2018 at 11:17 PM, Chris Duncanwrote: > ... > Is it possible to configure connections to use the LDAP password without > entering it in the database? I'm authenticating against Active Directory > for Guacamole user passwords but I can't work out how to pass that same > password through to connections configured in the Postgres database. > Yes. Use parameter tokens: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens - Mike
Re: LDAP+database - Credential duplication?
Sorry to piggyback on this topic but I have a related question. Is it possible to configure connections to use the LDAP password without entering it in the database? I'm authenticating against Active Directory for Guacamole user passwords but I can't work out how to pass that same password through to connections configured in the Postgres database. On Thu, 10 May 2018, 23:00 Nick Couchman,wrote: > On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer < > f.wolfhei...@googlemail.com> wrote: > >> I'm trying to set up guacamole with LDAP authentication and would like to >> use postgresql as storage for the connection parameters. Looking at the >> provided database schema files for postgresql (001-create-schema.sql), the >> user information entered into the database requires a password. I'm >> wondering whether this means that the LDAP user credentials need to be >> duplicated and entered into the database? The guacamole manual however >> suggests that once a user is successfully authenticated using the >> credentials stored in LDAP, the guacamole database will trust this user and >> will use the information present in the database for this user ( >> https://guacamole.apache.org/doc/gug/ldap-auth.html): >> > > Yes, this is correct. > >> "Data can be manually associated with LDAP users by creating >> corresponding user accounts within the database which each have the same >> usernames as valid LDAP users. As long as the username is identical, a >> successful login attempt against LDAP will be trusted by the database >> authentication, and that user's associated data will be visible." >> >> Actually, I'd like to prevent storing password information in the >> database and only use the LDAP passwords for authentication. Is this >> supposed to work? May I just adjust the database schema and leave the >> password field empty? >> > The password for the user from LDAP is not copied to or stored in the > database. The database does require a user password to be set; however, if > you leave this blank when creating users in the admin interface one will be > randomly generated. Similarly, if you are importing users directly into > the database you could generate random values for this field and the LDAP > authentication will still work, and it will *not* update/store the LDAP > password in the DB. > > >> BTW: Thanks for providing this great product. I've used it to host >> workshops for up to 50 people, providing each of them access to a graphical >> desktop. It's working great. :-) >> >> > Glad you like it and it is working out for you - I always love hearing > real-life success stories! > > -Nick >
Re: LDAP+database - Credential duplication?
Felix, There are some examples of generating the salt and hashing the password correctly for postgres and mysql in the online docs, for various programming languages. My use case is similar to yours (postgres+LDAP.) I needed to create users via script with random passwords in postgres, and I did it in shell script (bash) using the openssl(1) to generate the random data, salts and do the hashes, some bash as glue and psql to load the data in the database. It took me some trial and error to translate what was in the docs online to work in bash, and I'd be happy to share my script if it'd be useful to you. -Jonathan Hankins On Thu, May 10, 2018 at 5:00 PM Nick Couchmanwrote: > On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer < > f.wolfhei...@googlemail.com> wrote: > >> I'm trying to set up guacamole with LDAP authentication and would like to >> use postgresql as storage for the connection parameters. Looking at the >> provided database schema files for postgresql (001-create-schema.sql), the >> user information entered into the database requires a password. I'm >> wondering whether this means that the LDAP user credentials need to be >> duplicated and entered into the database? The guacamole manual however >> suggests that once a user is successfully authenticated using the >> credentials stored in LDAP, the guacamole database will trust this user and >> will use the information present in the database for this user ( >> https://guacamole.apache.org/doc/gug/ldap-auth.html): >> > > Yes, this is correct. > >> "Data can be manually associated with LDAP users by creating >> corresponding user accounts within the database which each have the same >> usernames as valid LDAP users. As long as the username is identical, a >> successful login attempt against LDAP will be trusted by the database >> authentication, and that user's associated data will be visible." >> >> Actually, I'd like to prevent storing password information in the >> database and only use the LDAP passwords for authentication. Is this >> supposed to work? May I just adjust the database schema and leave the >> password field empty? >> > The password for the user from LDAP is not copied to or stored in the > database. The database does require a user password to be set; however, if > you leave this blank when creating users in the admin interface one will be > randomly generated. Similarly, if you are importing users directly into > the database you could generate random values for this field and the LDAP > authentication will still work, and it will *not* update/store the LDAP > password in the DB. > > >> BTW: Thanks for providing this great product. I've used it to host >> workshops for up to 50 people, providing each of them access to a graphical >> desktop. It's working great. :-) >> >> > Glad you like it and it is working out for you - I always love hearing > real-life success stories! > > -Nick > -- Jonathan HankinsHomewood City Schools jhank...@homewood.k12.al.us -- This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: LDAP+database - Credential duplication?
On Thu, May 10, 2018 at 3:21 PM, Felix Wolfheimer < f.wolfhei...@googlemail.com> wrote: > I'm trying to set up guacamole with LDAP authentication and would like to > use postgresql as storage for the connection parameters. Looking at the > provided database schema files for postgresql (001-create-schema.sql), the > user information entered into the database requires a password. I'm > wondering whether this means that the LDAP user credentials need to be > duplicated and entered into the database? The guacamole manual however > suggests that once a user is successfully authenticated using the > credentials stored in LDAP, the guacamole database will trust this user and > will use the information present in the database for this user ( > https://guacamole.apache.org/doc/gug/ldap-auth.html): > Yes, this is correct. > "Data can be manually associated with LDAP users by creating corresponding > user accounts within the database which each have the same usernames as > valid LDAP users. As long as the username is identical, a successful login > attempt against LDAP will be trusted by the database authentication, and > that user's associated data will be visible." > > Actually, I'd like to prevent storing password information in the database > and only use the LDAP passwords for authentication. Is this supposed to > work? May I just adjust the database schema and leave the password field > empty? > The password for the user from LDAP is not copied to or stored in the database. The database does require a user password to be set; however, if you leave this blank when creating users in the admin interface one will be randomly generated. Similarly, if you are importing users directly into the database you could generate random values for this field and the LDAP authentication will still work, and it will *not* update/store the LDAP password in the DB. > BTW: Thanks for providing this great product. I've used it to host > workshops for up to 50 people, providing each of them access to a graphical > desktop. It's working great. :-) > > Glad you like it and it is working out for you - I always love hearing real-life success stories! -Nick
LDAP+database - Credential duplication?
I'm trying to set up guacamole with LDAP authentication and would like to use postgresql as storage for the connection parameters. Looking at the provided database schema files for postgresql (001-create-schema.sql), the user information entered into the database requires a password. I'm wondering whether this means that the LDAP user credentials need to be duplicated and entered into the database? The guacamole manual however suggests that once a user is successfully authenticated using the credentials stored in LDAP, the guacamole database will trust this user and will use the information present in the database for this user ( https://guacamole.apache.org/doc/gug/ldap-auth.html): "Data can be manually associated with LDAP users by creating corresponding user accounts within the database which each have the same usernames as valid LDAP users. As long as the username is identical, a successful login attempt against LDAP will be trusted by the database authentication, and that user's associated data will be visible." Actually, I'd like to prevent storing password information in the database and only use the LDAP passwords for authentication. Is this supposed to work? May I just adjust the database schema and leave the password field empty? BTW: Thanks for providing this great product. I've used it to host workshops for up to 50 people, providing each of them access to a graphical desktop. It's working great. :-)