[
https://issues.apache.org/jira/browse/GUACAMOLE-1985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17884570#comment-17884570
]
Nick Couchman commented on GUACAMOLE-1985:
------------------------------------------
[~armfem]: This is not a bug, this is actually the system behaving exactly as
intended due to the way that the LDAP extension works.
The LDAP extension uses the security of the user logging in to determine what
LDAP objects (users, groups, and connections) it has access to. The flow of
LDAP authentication looks roughly like this:
* User reaches Guacamole login page and enters username and password.
* LDAP either calculates the user's DN or binds using the credentials provided
in the guacamole.properties file and searches for the user.
* Once the user's LDAP DN is known, the LDAP module unbinds as the search user
and then binds using the LDAP DN and the password provided by the user logging
in to Guacamole.
* The LDAP module then uses the bind with the user logging in to search for
objects within the LDAP tree, relying on the security built-in to LDAP to
either allow or prevent the user from seeing certain objects.
So, if a user logs in with a SSO module (OIDC, SAML, CAS, or others like
Header, JSON), the user's password is not available for the LDAP module to use
for the bind, so it won't be able to match that user account between the SSO
module and the LDAP module, as the LDAP bind under that account will fail.
> There is no account reconciliation between OIDC and LDAP
> --------------------------------------------------------
>
> Key: GUACAMOLE-1985
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1985
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap, guacamole-auth-openid
> Affects Versions: 1.5.5
> Environment: LDAP: AD
> SSO: OIDC with LemonLDAP
> Reporter: armfem
> Priority: Major
> Labels: LDAP, OIDC
>
> Bonjour,
>
> I had configured guacamole users through LDAP, which work very nice. Then I
> added an SSO (LemonLDAP) which is connected via OIDC to guacamole. Which also
> seems to work quite nice to access it.
> The problem is that when connecting through OIDC I cannot access the users
> that are in LDAP, there are only users already connected through OIDC.
> Furthermore, it seems that the OIDC user is not reconciled with same name
> LDAP user.
>
> For the time being, I avoid the problem creating a group in LDAP and a group
> in Guacamole, and then the application is able to reconcile the groups.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
