On Mon, Feb 7, 2022 at 1:58 PM Loren Gordon <[email protected]> wrote:
> Hi Nick, > > I've been working with Sathija on this config and wanted to follow up... I > think the key in our config is the use of these options[1]: > > ldap-search-bind-dn: <> ldap-search-bind-password: <> > > With those options, it was my understanding that Guacamole uses that info > to authenticate to LDAP and perform the query for the Guacamole user. It > does not use the credentials of the user logging in. We were expecting > Guacamole to use these options to perform the bind and lookup any > connections from LDAP, based on the username provided by SAML. > > The only thing Guacamole uses these credentials for is to locate the user who is logging in. After that user is located, the search bind is disconnected and the user's credentials are used from that point on, including evaluating group membership for the user and connections stored in LDAP. This design is very intentional - it means that the security enforced by the LDAP directory is used to determine what the user who is logging in sees. > If that makes sense, but is not supported today, we could probably work > out the implementation and open a PR, if there's a reasonable chance it > would be accepted? > > I think we're likely moving in the direction of supporting this functionality, and, speaking only for myself, I would not oppose such a change - it tends to be pretty frequently-requested, as it's how a lot of other LDAP connectors work. That said, my preference is that the current way it functions remain the default configuration, and such a change (using search DN to evaluate group membership and connections in LDAP) would have to be explicitly enabled in the configuration. -Nick
