xRDP if the user account is associated with root group it will not
login, it needs to be a non root user, also xRDP likes to bind to IPv6.
Hope this helps.
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure virtual desktops!
*/FedRAMP MIL4 in process (SAR)/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 12/6/2023 2:31 PM, Aero Tech wrote:
While I am working through the MYSQL issues I am using quick connect
extension. Accounts setup with 2fa using PAM are having issues with
xrdp login. Accounts without the PAM 2fa are not. Anyway to pass the
cred from the webconsole auth that anyone knows of?
On Tue, Dec 5, 2023 at 10:58 AM Nick Couchman <[email protected]> wrote:
On Tue, Dec 5, 2023 at 10:45 AM Aero Tech <[email protected]>
wrote:
Adding the LDAPS user to user xml works for getting
connections for the LDAPS user but I have to have the LDAPS
user password. Is there some way to specify user mapping to
accept the account LDAPS password?
The user-mapping.xml authentication mechanism does not "stack"
with the other authentication mechanisms that way, so, no, there
is no way to do that.
If you want to use Guacamole with LDAP, and want connections to be
stored somewhere outside of LDAP, the easiest way is to use the
database module to store connections and then user LDAP users and
groups. You mentioned this in your original e-mail, that you were
using MySQL, and this should work fine. There are a few things to
keep in mind:
* If you want to map LDAP users and/or groups to the database
module, the user and group names have to match *exactly* -
including case-sensitivity.
* In order to get LDAP groups pulled in, you'll need to make sure
you're specifying the group base/search OU in the
guacamole.properties file, otherwise groups will not be queried.
* You can have users auto-created in the JDBC module (MySQL) upon
successful login - there's an option for it in the
guacamole.properties file.
Overall, make sure you read the following manual pages thoroughly:
https://guacamole.apache.org/doc/gug/jdbc-auth.html
https://guacamole.apache.org/doc/gug/ldap-auth.html
Feel free to post back with any specific questions or issues.
-Nick
