And on further notice. You don't want to use the database internally in guacamole. I don't know if that's possible it might be. Sorry I couldn't help on that.
Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Richard Hawkins <richard.hawk...@medctrbarbour.org> Sent: Friday, September 13, 2024 8:32:57 AM To: user@guacamole.apache.org <user@guacamole.apache.org> Subject: Re: User and connections provisioning You can definitely apply it to active directories. You can even set up groups at one time I had this working and it worked really well, but I wanted MFA authentication so I removed all the active directories and went strictly with MFA. I think I read somewhere I couldn’t use active directory and MFA at the same time. There’s probably better solutions now that was a couple of years ago. I’ve been using guacamole for about five years or so. It works really well once you got going good. Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: Anakien Skywalker <njuhaand...@gmail.com> Sent: Friday, September 13, 2024 8:17:00 AM To: user@guacamole.apache.org <user@guacamole.apache.org> Subject: User and connections provisioning Hello, I am testing Apache Guacamole with the purpose to deploy it in k8s. Deploying it locally and reading the manual I was not able to answer the questions arised. Here: https://guacamole.apache.org/doc/gug/configuring-guacamole.html Is said something like you have to look into a specific auth plugin on how to manage users. In auth plugin guides I can't find any information which would point how it creates (or not creates the users). This is the reason why I am forced to ask community/maintainers for help to understand the best way to go. We have two requirements: 1. We don't want to maintain the user list on the guacamole side. We use Active Directory. We have Pomerium in k8s which is able to proxy HTTP header with user name to Apache Guacamole. Or we can use OpenID. But the biggest issue is if Guacamole still needs the list of users on it's side? Or will it login any user? Pomerium has AD Groups based access. So, if Pomerium allows proxy request to Guacamole, then this user should have the ability to sign in. In simple words, the question is: What auth we can use, so Apache Guacamole would be able to login the user without having the list of users in its own filesystem/db. 2. The connection provisioning is not supported as far as I can see. We could create a k8s job which will be retrieving the list of targets from our internal systems. Then creating connections via REST API. Is this the only possible solution in our case?
