guacConfigGroup object class
When connection data is stored within your LDAP directory, each connection is represented by a special type of LDAP group, and permissions related to Guacamole connections can be managed directly with LDAP based on user membership of these groups. Doing this requires schema modifications which add a new object class called
An LDIF file defining the schema changes in a manner compatible with OpenLDAP is provided by the glyptodon-guacamole-auth-ldap package within
/opt/glyptodon/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif. This file can be applied to your OpenLDAP server using the “ldapadd” command:
Once this is done, connections can be defined by creating new
guacConfigGroup objects within the LDAP directory. Each
guacConfigGroup accepts a single guacConfigProtocol attribute, defining the protocol associated with the connection, and any number of guacConfigParameter attributes, each defining a connection parameter name/value pair. Users that should have access to the connection must be added as members of the
guacConfigGroup using the member attribute.
For example, a connection accessible to two users which uses VNC to connect to localhost at port 5900 with the password “secret” could be defined with the following LDIF file:
Configuring Guacamole to read connections from LDAP
To read connection data from LDAP, Guacamole’s main configuration file,
/etc/guacamole/guacamole.properties, must be modified to define the subtree containing these connections:
The base DN of all connections defined within LDAP must be specified using the ldap-config-base-dn property. This base DN should be the DN of the portion of the LDAP directory whose subtree contains all Guacamole connections accessible via LDAP. Only connections defined within the subtree of this base DN will be visible:
Controlling access using group membership
It is also possible grant entire groups access to connections using the seeAlso attribute. This attribute is a standard LDAP attribute, and will be taken into account by Guacamole if the ldap-group-base-dn property is defined. This property defines the root of the subtree containing all groups which may apply to Guacamole users authenticated using LDAP:
Changes to Guacamole’s LDAP configuration will generally only be reread from
guacamole.properties during the startup process. To apply the configuration changes, Guacamole must be restarted:
You will not have a standalone "guacamole" service if you have not deployed Guacamole automatically with the "glyptodon-guacamole-standalone" package. This will be the case if:
- You have chosen to manually deploy Guacamole under your own install of Apache Tomcat or JBoss, rather than use the provided version of Tomcat.
- You are maintaining a deployment of Glyptodon Enterprise that was originally installed before the 2.5 release (2021-09-16).
You will instead need to manually restart your install of Tomcat: