On Tue, Feb 16, 2021 at 5:26 AM Thomas Besser <thomas.bes...@kit.edu> wrote:
> Am 16.02.21 um 09:45 schrieb Mike Jumper: > > Is there any way, to configure "default connections" in database > which > > are shown to all authenticated users? > > > > There is no way to grant access to simply all authenticated users (and > > that would probably be dangerous), but you can achieve what you're > > looking for with groups. You don't need to create any of these users > > within the database. All you need to do is: > > Thanks for clarification. > > > 1) Create a user group within LDAP that each of the student accounts is > > a member of (if this doesn't already exist) > > Such a group already exists. > > > 2) Make sure Guacamole is configured to retrieve user groups from LDAP. > > Yes, I forgot that I read about that a few days ago. I tried once > without success to retrieve groups from LDAP. But that may be based on > the complex situation regarding LDAP here. > > It's a centralized LDAP server, I can access all relevant users and > groups (according to LDAP_SEARCH_BIND_DN, like > cn=admin,dc=example,dc=org), but this account is not within > LDAP_USER_BASE_DN or LDAP_GROUP_BASE_DN. So it is not possible to login > to guacamole web interface with this account. > > If I read https://guacamole.apache.org/doc/gug/ldap-auth.html correct, > it should be possible, to create that LDAP group manually in database > with the same name!? > > Adding a user (without a password) and configure connections to this > does work. But creating a group with the same name as in LDAP does not. > > The according ldap group is of type "posixGroup" with "memberUid" as > "ldap-member-attribute" and "uid" as "ldap-member-attribute-type". > Probably that is the reaseon. > > > https://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-ldap > does not mention anything to configure this with "optional environment > variables" > > I tried to set environment variables for docker: > -e LDAP_MEMBER_ATTRIBUTE=memberUid \ > -e LDAP_MEMBER_ATTRIBUTE_TYPE=uid \ > > But did not work. > > Any hint how I can debug this? Can you share the other environment variables and the relevant structure of your LDAP directory? What is the DN of the group in question and your LDAP_GROUP_BASE_DN? If you authenticate with your LDAP directory using a generic LDAP search tool and a normal LDAP account (the type of account one of your students would use), are you able to query your own group memberships? Michael Jumper CEO, Lead Developer Glyptodon Inc <https://enterprise.glyptodon.com/>.
