[
https://issues.apache.org/jira/browse/GUACAMOLE-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480332#comment-17480332
]
Joseph L. Casale commented on GUACAMOLE-536:
--------------------------------------------
Hi Mike,
As per the docs for {*}ldap-user-base-dn{*}:
The base of the DN for all Guacamole users. _This property is absolutely
required in all cases._ All Guacamole users must be descendents of this base DN.
If a search DN is provided (via {{{}ldap-search-bind-dn{}}}), then Guacamole
users need only be somewhere within the subtree of the specified user base DN.
If a search DN _is not_ provided, then all Guacamole users must be _direct
descendents_ of this base DN, as the base DN will be appended to the username
to derive the user’s DN. For example, if {{ldap-user-base-dn}} is
“{{{}ou=people,dc=example,dc=net{}}}”, and {{ldap-username-attribute}} is
“uid”, then a person attempting to login as “{{{}user{}}}” would be mapped to
the following full DN: “{{{}uid=user,ou=people,dc=example,dc=net{}}}”.
We can only perform a subtree search if a bind account (ldap-search-bind-dn) is
used, otherwise, the distinguished name of the user is inferred and the user
must reside inside the base dn.
> Add support for arbitrary LDAP bind patterns
> --------------------------------------------
>
> Key: GUACAMOLE-536
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-536
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Joseph L. Casale
> Assignee: Nick Couchman
> Priority: Minor
>
> The current LDAP authentication scheme can recursively search the base DN
> only when a bind DN is used. When biding with the user attempting to log on,
> the bind DN format pattern is not exposed through configuration which imposes
> unnatural restrictions forcing the user to exist in a single container.
> If the format pattern was exposed for configuration, for DSA's which allow
> flexible bind patterns such as Active Directory, configuration could allow
> "DOMAIN
> %s" or "%[email protected]" and for those DSA's which do not, you would simply
> configure the restrictive full DN as the pattern.
> The use case is that we use Active Directory anddo not allow bind accounts so
> the restriction prevents all users from accessing the application as our
> topology is not flat (we need to pick a single container therefor excluding
> everyone else).
> A working Java implementation of an LDAP auth scheme that facilitates this is
> [Gitblit|http://gitblit.com/properties.html], see the realm.ldap.*
> configuration properties. Setting the bind pattern to the UPN such as:
> {code:java}
> realm.ldap.bindpattern = ${username}@domain.com
> {code}
> allows the flexible configuration in our Active Directory environment.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
