Guac 0.9.13

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Guac 0.9.13

James Fraser

I have been reviewing 0.9.13

 

In particular

https://issues.apache.org/jira/browse/GUACAMOLE-101

 

I am curious if this is now possible? Is it potentially possible to lookup between multiple directories?

 

James Fraser • Microsoft Systems Engineer

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Guac 0.9.13

Nick Couchman-2
James,
The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole.  Hopefully that'll be released, soon, maybe even sometime this week.  Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long.

The multiple directory lookup has *not,* yet, been incorporated.  I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that.

Regards,
Nick


On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <[hidden email]> wrote:


I have been reviewing 0.9.13

 

In particular

https://issues.apache.org/jira/browse/GUACAMOLE-101

 

I am curious if this is now possible? Is it potentially possible to lookup between multiple directories?

 

James Fraser • Microsoft Systems Engineer

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Guac 0.9.13

James Fraser

Hi Nick

 

Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains, just chasing a bit of guidance of how to target the two different directories if its possible.


Cheers

 

James Fraser • Microsoft Systems Engineer

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Monday, 31 July 2017 9:59 AM
To: [hidden email]
Subject: Re: Guac 0.9.13

 

James,

The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole.  Hopefully that'll be released, soon, maybe even sometime this week.  Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long.

 

The multiple directory lookup has *not,* yet, been incorporated.  I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that.

 

Regards,

Nick

 

 

On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <[hidden email]> wrote:

 

 

I have been reviewing 0.9.13

 

In particular

https://issues.apache.org/jira/browse/GUACAMOLE-101

 

I am curious if this is now possible? Is it potentially possible to lookup between multiple directories?

 

James Fraser • Microsoft Systems Engineer

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RE: Guac 0.9.13

Nick Couchman-2
Under the current version you, unfortunately, do not have any options inside Guacamole itself to accomplish this.  The way I can think of at this point would be to use OpenLDAP with the Meta or Proxy back-end, and have OpenLDAP present both directory trees under a single server/tree to Guacamole.  That's not the ideal solution and we certainly want to get Guacamole to the point where it can handle multiple trees in the same config, but it will work.

I've used the Meta backend before, and it allows you to take two directory trees - say dc=ad1,dc=com and dc=ad2,dc=com - and combine them in such a way that ad1 appears at dc=ad1,dc=ldap,dc=com and ad2 at dc=ad2,dc=ldap,dc=com.  You can then query the OpenLDAP instance at the dc=ldap,dc=com level and it will traverse both trees.  IIRC, it's also smart enough to handle passing through bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for example, when the bind request is sent it will translate that to the correct user on the dc=ad2,dc=com side and proxy the request.  It takes a little work to get set up, but it isn't too bad.

If you have both your AD trees set up in a single forest you can probably accomplish the same thing - if one is at the root and the other is a tree somewhere in the forest, I'm fairly certain you can have a LDAP server that has access to both trees.  I'm not an expert on Active Directory, so I've never gone that route before and cannot speak to how it's accomplished or even for sure that it's possible, but I believe that was one of the key features behind AD was the ability to further sub-divide the domains while still maintaining some sort of top-level authority and view of the entire system.

Anyway, those are a couple of ideas - like I said, unfortunately, nothing native to Guacamole at this point that will help you out.

Regards,
Nick


On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser <[hidden email]> wrote:


Hi Nick

 

Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains, just chasing a bit of guidance of how to target the two different directories if its possible.


Cheers

 

James Fraser • Microsoft Systems Engineer

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Monday, 31 July 2017 9:59 AM
To: [hidden email]
Subject: Re: Guac 0.9.13

 

James,

The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole.  Hopefully that'll be released, soon, maybe even sometime this week.  Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long.

 

The multiple directory lookup has *not,* yet, been incorporated.  I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that.

 

Regards,

Nick

 

 

On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <[hidden email]> wrote:

 

 

I have been reviewing 0.9.13

 

In particular

https://issues.apache.org/jira/browse/GUACAMOLE-101

 

I am curious if this is now possible? Is it potentially possible to lookup between multiple directories?

 

James Fraser • Microsoft Systems Engineer

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: RE: Guac 0.9.13

James Fraser

Hi Nick

 

Thanks for your reply

Unfortunately we do not have any trusts setup between domains, our Gaucamole instance is in a Azure Subscription and we have peers to other subscriptions and domains that are not part of our company but we give access to the servers over Guacamole, this prevents the servers requiring public IP addresses to connect to them.

 

I will have a look at OpenLDAP with Meta and see how I go, I will report back.

 

Cheers

 

James Fraser • Microsoft Systems Engineer

 

From: Nick Couchman [mailto:[hidden email]]
Sent: Monday, 31 July 2017 11:14 AM
To: [hidden email]
Subject: Re: RE: Guac 0.9.13

 

Under the current version you, unfortunately, do not have any options inside Guacamole itself to accomplish this.  The way I can think of at this point would be to use OpenLDAP with the Meta or Proxy back-end, and have OpenLDAP present both directory trees under a single server/tree to Guacamole.  That's not the ideal solution and we certainly want to get Guacamole to the point where it can handle multiple trees in the same config, but it will work.

 

I've used the Meta backend before, and it allows you to take two directory trees - say dc=ad1,dc=com and dc=ad2,dc=com - and combine them in such a way that ad1 appears at dc=ad1,dc=ldap,dc=com and ad2 at dc=ad2,dc=ldap,dc=com.  You can then query the OpenLDAP instance at the dc=ldap,dc=com level and it will traverse both trees.  IIRC, it's also smart enough to handle passing through bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for example, when the bind request is sent it will translate that to the correct user on the dc=ad2,dc=com side and proxy the request.  It takes a little work to get set up, but it isn't too bad.

 

If you have both your AD trees set up in a single forest you can probably accomplish the same thing - if one is at the root and the other is a tree somewhere in the forest, I'm fairly certain you can have a LDAP server that has access to both trees.  I'm not an expert on Active Directory, so I've never gone that route before and cannot speak to how it's accomplished or even for sure that it's possible, but I believe that was one of the key features behind AD was the ability to further sub-divide the domains while still maintaining some sort of top-level authority and view of the entire system.

 

Anyway, those are a couple of ideas - like I said, unfortunately, nothing native to Guacamole at this point that will help you out.

 

Regards,

Nick

 

 

On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser <[hidden email]> wrote:

 

 

Hi Nick

 

Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains, just chasing a bit of guidance of how to target the two different directories if its possible.


Cheers

 

James Fraser • Microsoft Systems Engineer

 

From: Nick Couchman [[hidden email]]
Sent: Monday, 31 July 2017 9:59 AM
To: [hidden email]
Subject: Re: Guac 0.9.13

 

James,

The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole.  Hopefully that'll be released, soon, maybe even sometime this week.  Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long.

 

The multiple directory lookup has *not,* yet, been incorporated.  I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that.

 

Regards,

Nick

 

 

On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <[hidden email]> wrote:

 

 

I have been reviewing 0.9.13

 

In particular

https://issues.apache.org/jira/browse/GUACAMOLE-101

 

I am curious if this is now possible? Is it potentially possible to lookup between multiple directories?

 

James Fraser • Microsoft Systems Engineer

 

Loading...