Guacamole and UCS

ldapdan · August 25, 2016, 9:14am

Hi Guys

I am looking to see if I can get Guacamole and OpenLDAP (via UCS) working. So that when someone authenticates through LDAP their entries in LDAP also reflect which machines they can connect to in Guacamole etc.

I am looking at the documentation for Guacamole guacamole.incubator.apache.org/ … -auth.html) which talks about a guacamole extension which you can download which contains a .schema file and a .ldif file.

My question to anyone that might of done this before, how do I import the .ldif file or the .schema file in to UCS ? Other OpenLDAP implementations allow this but I can not see how to do it with UCS.

If there is no way of importing the required changes from the above mentioned files, is there a way of manually adding the same properties in to UCS manually ?

Any help would be appreciated.

Dan

ahrnke · August 25, 2016, 9:40am

There is something related in the Wiki:
Cool Solution - Guacamole

vbrice.adminsys · August 25, 2016, 3:33pm

Hi,

I’ve installed guacamole on a separate server and I want to authenticate users through LDAP and restrict connections access.

Where am I supposed to put the .ldif or .schema files to make Univention’s OpenLDAP consider it and apply changes.

I’ve made ldapadd -h localhost -p 389 -x -D %SOME_USER% -w %SOME_PWD% -f guacConfigGroup.ldif

But I got :

adding new entry "cn=guacConfigGroup,cn=blah,cn=blah,dc=some,dc=domain" ldap_add: No such attribute (16) additional info: 0000200A: objectclass olcSchemaConfig is not a valid objectClass in schema

Can I add objectClass ?

What’s going wrong ?

Rgds

ldapdan · August 26, 2016, 12:20pm

It looks like we are stuck on the same issue. I was hoping that UCS would allow you to add in custom schemas through the web interface. I see that as one of the main advantages of using UCS. Having to resort to the command line for things like this is a bit of a shame really. A nice little GUI import wizard would be a neat way of implementing changes like this for other applications.

If you do make any break throughs with regards to this, please update this thread, I will do the same.

vbrice.adminsys · September 2, 2016, 3:56pm

Hi ldapdan,

I’ve been able too add the schema file through univention-lib and ucm i’ll post the process later.

But I’m still stuck on addind extended object to my LDAP tree got class violation exception, not a structural objectclass defined for storage…

Any ideas ?

Rgds

ldapdan · September 4, 2016, 3:54pm

I have been playing with a vanilla version of OpenLDAP (the latest version) and I have managed to get the schema to import fine. However even that wasn’t a very straight forward process with the new version of LDAP the way you import things is done slightly differently and how you authenticate is done slightly differently too.

So I have come back to give UCS one last try before I just abandon it and use Apache Directory Studio to manage a vanilla version.

If there wasn’t a limitation posed on the number of extended attributes UCS allows it would be worth spending the time on to make it work, however as I have to make several applications authenticate with it, the likelihood that I will run out is high, and makes it a limiting factor going forward when the system is expanded further.

If you get chance to post your steps you took, it would be interesting for the future as UCS might be usable for other projects, unfortunately for this one it is looking unusable.

Schwardt · September 6, 2016, 8:06am

Hi!

[quote=“vbrice.adminsys”]I’ve been able too add the schema file through univention-lib and ucm i’ll post the process later.

But I’m still stuck on addind extended object to my LDAP tree got class violation exception, not a structural objectclass defined for storage…
[/quote]

Object class violations are usually caused by missing attribute values. Please check the corresponding LDAP schema (objectclass) which attributes are required (MUST) and which are optional (MAY). All MUST attributes have to be defined when the objectclass is added, otherwise an object class violation is raised.

I’m a little bit confused about the limitation on the number of extended attributes. I’m not aware of any limitation.

UCS installs a UCS-specific LDAP schema that provides 20 free usable LDAP attributes (univentionFreeAttribute1 up to univentionFreeAttribute20). The “extended attributes” in the UCS meaning define GUI elements in UMC that are mapped to existing LDAP attributes. Therefore, if you have installed additional LDAP schemas, you are also able to add additional extended attributes (GUI elements in UMC).

Best regards

Sönke Schwardt-Krummrich