On Sun, Mar 20, 2022 at 7:37 AM Vieri <rentor...@yahoo.com.invalid> wrote:
> > On Sunday, March 20, 2022, 11:53:19 AM GMT+1, Vieri > <rentor...@yahoo.com.invalid> wrote: > > > This is my current guacamole.properties > > If I replace LDAP connection provisioning with a Postgresql backend, I get > the expected result: connections are properly loaded even when > authenticating with SAML. > So I guess I'm better off migrating from LDAP to Postgresql. > > Vieri, First, thanks for keeping the thread up-to-date and letting everyone know what worked for you - this is very helpful to the entire community. Regarding the LDAP module - it won't "stack" with the SSO module in the same way that the JDBC module does for what you're trying to do. This is because the LDAP module *always* uses the authentication information of the user who is logging in to find both group membership and connection information. The search DN and password are only used to locate the LDAP object of the user logging in, and then the connection is re-bound with the credentials of the user who is authenticating to Guacamole. This requires that the password be provided for the user logging in, and since the SSO modules don't use a password (at least not directly with Guacamole), and since successful authentication with one module precludes authentication from being evaluated in other modules, this won't work - the LDAP module will never be evaluated for authentication when SSO is used, and, even if it were, there would be no password provided to it, so it would always fail. So, yes, if you intend to use SSO to log in to Guacamole, you will need to store connection data in JDBC, or possibly use the JSON module to dynamically write it with another (SSO-integrated) service. -Nick