From Nick Couchman <>
Subject Re: RE: Guac 0.9.13
Date Mon, 31 Jul 2017 01:13:50 GMT
Under the current version you, unfortunately, do not have any options inside Guacamole itself
to accomplish this.  The way I can think of at this point would be to use OpenLDAP with the
Meta or Proxy back-end, and have OpenLDAP present both directory trees under a single server/tree
to Guacamole.  That's not the ideal solution and we certainly want to get Guacamole to the
point where it can handle multiple trees in the same config, but it will work.
I've used the Meta backend before, and it allows you to take two directory trees - say dc=ad1,dc=com
and dc=ad2,dc=com - and combine them in such a way that ad1 appears at dc=ad1,dc=ldap,dc=com
and ad2 at dc=ad2,dc=ldap,dc=com.  You can then query the OpenLDAP instance at the dc=ldap,dc=com
level and it will traverse both trees.  IIRC, it's also smart enough to handle passing through
bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for example, when the bind
request is sent it will translate that to the correct user on the dc=ad2,dc=com side and proxy
the request.  It takes a little work to get set up, but it isn't too bad.
If you have both your AD trees set up in a single forest you can probably accomplish the same
thing - if one is at the root and the other is a tree somewhere in the forest, I'm fairly
certain you can have a LDAP server that has access to both trees.  I'm not an expert on Active
Directory, so I've never gone that route before and cannot speak to how it's accomplished
or even for sure that it's possible, but I believe that was one of the key features behind
AD was the ability to further sub-divide the domains while still maintaining some sort of
top-level authority and view of the entire system.
Anyway, those are a couple of ideas - like I said, unfortunately, nothing native to Guacamole
at this point that will help you out.

On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser <>

Hi Nick
Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains,
just chasing a bit of guidance of how to target the two different directories if its possible.

James Fraser • Microsoft Systems Engineer

From: Nick Couchman []
Sent: Monday, 31 July 2017 9:59 AM
Subject: Re: Guac 0.9.13
The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole.
 Hopefully that'll be released, soon, maybe even sometime this week.  Don't quote me on
that, but I know the process to get the release approved is moving along right now, so it
shouldn't be too long.
The multiple directory lookup has *not,* yet, been incorporated.  I can't remember if there's
a separate JIRA issue for that one - I feel like there is - if not, you should definitely
open one so we can track status on that.
On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <>
I have been reviewing 0.9.13
In particular
I am curious if this is now possible? Is it potentially possible to lookup between multiple
James Fraser • Microsoft Systems Engineer
