guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: Granting users permissions after LDAP authentication
Date Thu, 31 Aug 2017 16:50:50 GMT
Mike asked the following follow-up question:

> Are you using any other extensions to provide storage for the connection data itself?
Or are you planning on storing the connection data within the LDAP directory?

Which received no response.
The reason Mike asked is because the answer is that it depends on how you're doing authentication
and connections with LDAP.  If you're authenticating with LDAP, but using one of the JDBC
modules for storing connections, then you need to create the LDAP users you want to assign
permissions to in the JDBC module (you can use the guacadmin user to do this, or you can manipulate
the database directly) and then assign those users permissions.  Then, then next time you
log in under the LDAP account, that user will have the permissions.  This is called "layering"
authentication modules, and works as long as the usernames of the modules line up - that is,
if you're logging into LDAP with the username "avocado" then you must create a user with that
same username in the JDBC module and assign the permissions.
If you're using only the LDAP module, then the answer is that you cannot manage connections
from the Guacamole interface - you must use an LDAP tool to manipulate the directory tree
directly and then those items will be read in by Guacamole.  You can do some basic permission
management (use the member LDAP property to assign the connection to certain users), but it's
fairly rudimentary.
See the following manual page for more info on both options:
== He has shown you, O man, what is good; And what does the LORD require of you But to do
justly, To love mercy, And to walk humbly with your God? --Micah 6:8-- ==

On Thursday, August 31, 2017, 12:37:56 PM EDT, marcosrlopes <>


Sent from:
View raw message