Since I see that the OP is authenticating against AD via LDAP, I just want to throw this out there: AD stores the cn or sAMAccountName attribute case-sensitively. Guacamole doesn't do a case-insensitive match (whereas Windows login does), so I had to make sure that my sAMAccountName / cn attributes were all lower case (which is what my users are expecting to type in the Guacamole login box) for authentication to work. Mass-changing sAMAccountName to lowercase is non-trivial, since many tools to do so work case-insensitively. I can look up how I managed to script it if anyone gets stuck like I did.
-Jonathan Hankins On Fri, Jun 14, 2019 at 10:31 AM Mike Jumper <mjum...@apache.org> wrote: > On Fri, Jun 14, 2019, 07:06 Zer0Cool <melin3...@gmail.com> wrote: > >> Pardon my ignorance, but let me make sure I follow. >> >> So you are saying that the ldap filter (and thus results) are likely >> up-to-date but that the database side of the account does not get >> deleted/removed from the database when there is no longer a matching LDAP >> account to go with it? >> > > Nor would a database account be automatically created for LDAP. The two > are independent. Guacamole unifies things for accounts having the same > username, and that common username is the sole association between them. > > So I would assume that while the account still exists in the database, >> authentication of the account would fail as the underlying AD/LDAP account >> is no longer active/pulled in by the filter? >> > > If you set a password for the database account, authentication using the > database-specific password will succeed. > > >> I presume that means it would be a manual task to go in and delete >> disbaled >> AD accounts from the database within Guacamole? >> > > Yes. > > >> For what its worth, this makes sense to me as you wouldn't want the >> database >> to delete users/settings in the event it cannot connect to AD temporarily >> for example. >> > > Indeed. > > Also, the two systems really are not interconnected in that way. Except > for having the same username, there is no direct association between > accounts in the database and within LDAP. > > Both the database and LDAP expose separate and independent sets of data, > while the web interface unifies that data for presentation to user. With > the exception of one (the database) trusting the authentication result of > the other (LDAP), the two function completely independently. > > - Mike > > -- ------------------------------------------------------------------------ Jonathan Hankins Homewood City Schools jhank...@homewood.k12.al.us ------------------------------------------------------------------------ -- This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments is prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
