0

I am currently struggling on LDAP authorization towards MS AD (Server 2012) and MySQL as connection database. Once I log into guacamole using an AD account (sAMAccountName) I am not able to add any connections.

Is there anything I might have missed? Generally speaking I do not really want to modify the scheme of our AD.

Maybe you could let me know which settings the guacamole.properties file should have then. I am on 0.9.9 as well. Both mechanisms, LDAP and MySQL are working themselves but no functional combination has been established.

Thank you for your help in advance

Mark Wiechers
  • 1
  • 1
  • 1
  • this question sounded like having a possible soluition. http://stackoverflow.com/questions/40597935/create-guacamole-users – Mark Wiechers Feb 02 '17 at 14:07

1 Answers1

0

For a user to have access to connection data within MySQL (or to have the ability to create and manage connections within MySQL), they must be granted permission to do so within MySQL. As Guacamole uses the username to represent identity, there are two ways to accomplish this:

  1. Create an account within LDAP having the same username as an existing administrative user in MySQL (such as the default guacadmin), and log in as that user when managing things.
  2. Log in as an administrative user in MySQL and create a new administrative account having the same username as your account within LDAP. After logging out and logging back in as that user, you will have admin permissions.

The relevant section is in the chapter of the manual covering LDAP:

Associating LDAP with a database

If you install both the LDAP authentication as well as support for MySQL or PostgreSQL (following the instructions in Chapter 6, Database authentication), Guacamole will automatically attempt to authenticate against both systems whenever a user attempts to log in. That user will have access to any data associated with them via the database, as well as any visible objects within the LDAP directory. The LDAP account will be considered equivalent to the database user if the username is identical.

Data can be manually associated with LDAP users by creating corresponding user accounts within the database which each have the same usernames as valid LDAP users. As long as the username is identical, a successful login attempt against LDAP will be trusted by the database authentication, and that user's associated data will be visible.

If an administrator account (such as the default guacadmin user provided with the database authentication) has a corresponding user in the LDAP directory with permission to list and read other LDAP users, the Guacamole administrative interface will include LDAP users in the overall user list presented to the administrator, and allow connections from the database to be associated with those users directly.

(emphasis added)

Mike Jumper
  • 410
  • 3
  • 8
  • Thank you for your answer but unfortunately this is where I am struggeling. Somehow I am not able to manage the LDAP authentication to work with MySQL Connection settings. My guacamole.properties starts with LDAP auth provider and settings followed by mysql provider and settings. Both authentication methods work themselves. Is there a special order within the properties file? How about passwords of the user accounts stored inside the database? – Mark Wiechers Feb 06 '17 at 09:40