[
https://issues.apache.org/jira/browse/GUACAMOLE-536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576216#comment-17576216
]
Nick Couchman commented on GUACAMOLE-536:
-----------------------------------------
So, I think the key, here, is this:
{quote}
The use case is that we use Active Directory anddo not allow bind accounts
{quote}
This means that, based on Guacamole's current functionality, at least,
pre-GUACMAOLE-957, the users would all have to exist in the same subtree so
that the inferred location could be used rather than doing the search. Even
with GUACAMOLE-957 implemented, this would mean basically putting an entry into
the LDAP configuration for each and every user OU that users could possibly
exist in, and then the LDAP client would have to go through and check every OU,
trying to bind with the account until it matched one - an expensive operation.
Also, in my #DayJob, our AD environment has dozens, if not hundreds of possible
OU locations, which would make maintenance of this a nightmare.
I suspect the actual ask, here, is a "direct bind" to LDAP with the user who is
logging in, which AD allows, but would have to be done as UPN, since using the
DN format requires that it already be known where in the LDAP tree the user
exists. If the usernames in Guacamole were the UPN and could be used to bind
directly, or the username was the first part of the UPN and the domain was
configured in guacamole.properties (or the new config file introduced by
GUACAMOLE-957), then uses could be logged in directly, avoiding both the search
bind and also the maintenance of a bunch of potential inferred locations.
Based on this I might just cancel my current PR and go back and re-work this to
support "Direct Bind", and base it off the changes in GUACAMOLE-957.
> Add support for arbitrary LDAP bind patterns
> --------------------------------------------
>
> Key: GUACAMOLE-536
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-536
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Joseph L. Casale
> Assignee: Nick Couchman
> Priority: Minor
> Fix For: 1.6.0
>
>
> The current LDAP authentication scheme can recursively search the base DN
> only when a bind DN is used. When biding with the user attempting to log on,
> the bind DN format pattern is not exposed through configuration which imposes
> unnatural restrictions forcing the user to exist in a single container.
> If the format pattern was exposed for configuration, for DSA's which allow
> flexible bind patterns such as Active Directory, configuration could allow
> "DOMAIN
> %s" or "%s...@domain.com" and for those DSA's which do not, you would simply
> configure the restrictive full DN as the pattern.
> The use case is that we use Active Directory anddo not allow bind accounts so
> the restriction prevents all users from accessing the application as our
> topology is not flat (we need to pick a single container therefor excluding
> everyone else).
> A working Java implementation of an LDAP auth scheme that facilitates this is
> [Gitblit|http://gitblit.com/properties.html], see theĀ realm.ldap.*
> configuration properties. Setting the bind pattern to the UPN such as:
> {code:java}
> realm.ldap.bindpattern = ${username}@domain.com
> {code}
> allows the flexible configuration in our Active Directory environment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
