guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fertig, Brian" <>
Subject RE: LDAP Questions
Date Wed, 20 Mar 2019 00:44:57 GMT
Thanks Nick.  I ended up creating a service account and letting it roll.  I vaguely remember
this config a year ago when I set it up before.  I’ve got TOTP, MySQL, and LDAP setup. 
Its humming.  Thanks!


From: Nick Couchman <>
Sent: Tuesday, March 19, 2019 6:22 PM
Subject: Re: LDAP Questions

On Tue, Mar 19, 2019 at 12:01 PM Fertig, Brian <<>>

I am trying to latter.  When a user is trying to log into Guac I want that users credentials
presented to AD to see if they can.  If they can then allow them to login.  At least based
on the documentation I assume this is how I have it setup.

Part of the issue you're running into is that the LDAP authentication module is a bit limited.
 There's actually a JIRA issue already out there that seeks to loosen up the restrictions
a bit, but it hasn't been worked, yet:<>

Basically, right now there are two modes of authentication:
- Search & Bind: You specify a bind DN for an account to search the directory, Guacamole
searches LDAP for the user that tries to bind as the user that has been located within the
tree.  So, if you specify, in your file, ldap-search-bind-dn of "cn=search,ou=accounts,dc=example,dc=com",
and you try to log in as "testuser", Guacamole will first bind as the cn=search user, search
for "testuser", assuming testuser is found (say, cn=testuser,ou=users,dc=example,dc=com),
Guacamole will re-bind as the cn=testuser account using the password specified.
- Derive DN: You don't specify the ldap-search-bind-dn, but you do specify ldap-user-base-dn
as "ou=users,dc=example,dc=com", then Guacamole derives the DN as cn=<username>,ou=users,dc=example,dc=com
and attempts to bind with that password.  Using the "testuser" account from before, Guacamole
would derive the DN to cn=testuser,ou=users,dc=example,dc=com, and then use the provided password
to bind.  This mode is really only useful in the situation where you have a flat directory
tree where all users (or at least all users that are going to be logging in to Guacamole)
are found in the same OU.  You can simulate this within your LDAP tree by creating account
aliases within a particular OU (ou=Guacamole_Users,dc=example,dc=com) and allowing the Guacamole
module to dereference aliases.

The JIRA issue above deals specifically with Active Directory-style authentication, where
the directory allows you to bind with <username>@<domain> (e.g.<>).
 Hopefully that'll get added at some point, when we have time to work on it.

Hopefully this helps.


The information contained in this message may be confidential and legally protected under
applicable law. The message is intended solely for the addressee(s). If you are not the intended
recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction
of this message is strictly prohibited and may be unlawful. If you are not the intended recipient,
please contact the sender by return e-mail and destroy all copies of the original message.
View raw message