On Tue, Nov 5, 2024 at 1:45 PM Benjamin Long <benjamin.l...@sscsince73.com> wrote:
> Hello folks, > > Here is my situation. We're setting up a new authentication system using > FreeIPA. So far, so good. > > I've been able to configure Guacamole (using the official docker > container) to use LDAP as its user and configuration store. The > configuration is in the cn=guacconfig subtree. > > Here's where I'm a little confused > > When I use ldap-search-bind-dn to configure a bind user, I thought this > was the login used to pull the configuration from cn=guacconfig. So I have > a bind user set up that has access to this subtree. > > No, the ldap-search-bind-dn user is *ONLY* used to locate the user who is logging in to Guacamole. After that user is located, the search DN is disconnected (un-bound), and a new bind is performed using the DN of the user who has just been located, and that user's password. Thus, the access control for Guacamole when using LDAP to store connection configurations uses LDAP's built-in security. > However, my users do not have access to this subtree, and I would rather > they not. I don't want them to be able to run ldapsearch with their > credentials and get the login credentials for the remote systems. > > When I log into Guacamole as my user, I don't see any connections unless I > give my user search and read access to cn=guacconfig. > > Am I missing something, or is this expected behavior? > > This is expected. I can understand, if you're storing credentials directly in your LDAP configurations, that you might not want users reading those credentials. At the moment, there's no way around this. -Nick >
