Hi Nick, I've been working with Sathija on this config and wanted to follow up... I think the key in our config is the use of these options[1]:
ldap-search-bind-dn: <> ldap-search-bind-password: <> With those options, it was my understanding that Guacamole uses that info to authenticate to LDAP and perform the query for the Guacamole user. It does not use the credentials of the user logging in. We were expecting Guacamole to use these options to perform the bind and lookup any connections from LDAP, based on the username provided by SAML. If that makes sense, but is not supported today, we could probably work out the implementation and open a PR, if there's a reasonable chance it would be accepted? Thanks, -Loren [1]: To save a search, here are the docs on those options: ldap-search-bind-dn The DN (Distinguished Name) of the user to bind as when authenticating users that are attempting to log in. If specified, Guacamole will query the LDAP directory to determine the DN of each user that logs in. If omitted, each user’s DN will be derived directly using the base DN specified with ldap-user-base-dn. ldap-search-bind-password The password to provide to the LDAP server when binding as ldap-search-bind-dn to authenticate other users. This property is only used if ldap-search-bind-dn is specified. If omitted, but ldap-search-bind-dn is specified, Guacamole will attempt to bind with the LDAP server without a password. On 2022/02/07 18:27:02 Nick Couchman wrote: > On Mon, Feb 7, 2022 at 1:18 PM Sathija Pavuluri <[email protected]> > wrote: > > > We have Guacamole configured to use SAML to initially authenticate users > > and subsequently use LDAP to look up the user and retrieve RDP connection > > properties. > > > > When using this setup, user is successfully authenticated against SAML but > > Guac makes no attempt to connect to LDAP to look the user up. > > So using SAML auth, do connection details have to come from a DB alone? Is > > LDAP not supported? > > > > > You are correct, after a successful SAML authentication, there will be no > attempt to connect to LDAP. This is because the LDAP module is designed > specifically to use the credentials of the user who is logging in to query > the LDAP tree. Since 1) authentication has already succeeded, and 2) with > SAML authentication there is no password to send to the LDAP server, the > module will not attempt to authenticate the user. > > If you're storing connection information in LDAP then you should just use > LDAP to authenticate and not try to stack SAML and LDAP. > > -Nick > -- *This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.*
