This documentation assumes that you have already configured Guacamole to use LDAP for authentication. If have not already done so, please configure Guacamole for LDAP authentication before proceeding.

Defining the guacConfigGroup object class

When connection data is stored within your LDAP directory, each connection is represented by a special type of LDAP group, and permissions related to Guacamole connections can be managed directly with LDAP based on user membership of these groups. Doing this requires schema modifications which add a new object class called guacConfigGroup.

An LDIF file defining the schema changes in a manner compatible with OpenLDAP is provided by the glyptodon-guacamole-auth-ldap package within /opt/glyptodon/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif. This file can be applied to your OpenLDAP server using the “ldapadd” command:

$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /opt/glyptodon/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif

Once this is done, connections can be defined by creating new guacConfigGroup objects within the LDAP directory. Each guacConfigGroup accepts a single guacConfigProtocol attribute, defining the protocol associated with the connection, and any number of guacConfigParameter attributes, each defining a connection parameter name/value pair. Users that should have access to the connection must be added as members of the guacConfigGroup using the member attribute.

For example, a connection accessible to two users which uses VNC to connect to localhost at port 5900 with the password “secret” could be defined with the following LDIF file:

dn: cn=Example Connection,ou=groups,dc=example,dc=net
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: Example Connection
guacConfigProtocol: vnc
guacConfigParameter: hostname=localhost
guacConfigParameter: port=5900
guacConfigParameter: password=secret
member: cn=user1,ou=people,dc=example,dc=net
member: cn=user2,ou=people,dc=example,dc=net

Configuring Guacamole to read connections from LDAP

To read connection data from LDAP, Guacamole’s main configuration file, /etc/guacamole/, must be modified to define the subtree containing these connections:

$ sudo vi /etc/guacamole/

The base DN of all connections defined within LDAP must be specified using the ldap-config-base-dn property. This base DN should be the DN of the portion of the LDAP directory whose subtree contains all Guacamole connections accessible via LDAP. Only connections defined within the subtree of this base DN will be visible:

## [LDAP-4] LDAP base DN for Guacamole connections ("guacConfigGroup")
## The base DN for all Guacamole connections defined directly within the LDAP
## directory using "guacConfigGroup" objects. If connections will not be stored
## within the directory, this property is unnecessary.
## If the glyptodon-guacamole-auth-ldap package has been installed, the LDAP
## schema for "guacConfigGroup" objects can be found at:
##   /usr/share/guacamole-auth-ldap/schema/guacConfigGroup.ldif
## Alternatively, if your LDAP directory does not accept LDIF files, the schema
## source for "guacConfigGroup" can be found at:
##   /usr/share/guacamole-auth-ldap/schema/guacConfigGroup.schema

#ldap-config-base-dn: ou=connections,dc=example,dc=net

Controlling access using group membership

It is also possible grant entire groups access to connections using the seeAlso attribute. This attribute is a standard LDAP attribute, and will be taken into account by Guacamole if the ldap-group-base-dn property is defined. This property defines the root of the subtree containing all groups which may apply to Guacamole users authenticated using LDAP:

## [LDAP-5] LDAP group / group DN description
## The base DN of all Guacamole groups within the LDAP directory, and the
## attribute which should be used by Guacamole to uniquely identify the
## group.
## If connections are being stored within LDAP using "guacConfigGroup" objects,
## and you wish to control access to these connections via LDAP groups, this is
## accomplished using the standard "seeAlso" attribute and the
## ldap-group-base-dn property is required.
## If connections are being stored outside of LDAP, such as within a database,
## and you wish to control access using LDAP groups, both ldap-group-base-dn
## and ldap-group-name-attribute will be required. The group membership of a
## user cannot be queried without a base DN, and the unique name to be used by
## other parts of Guacamole to represent the group cannot be determined without
## the name attribute.

#ldap-group-base-dn:        ou=groups,dc=example,dc=net
#ldap-group-name-attribute: cn

Completing installation

Changes to Guacamole’s LDAP configuration will generally only be reread from during the startup process. To apply the configuration changes, Guacamole must be restarted:

$ sudo systemctl restart guacamole

You will not have a standalone "guacamole" service if you have not deployed Guacamole automatically with the "glyptodon-guacamole-standalone" package. This will be the case if:

  • You have chosen to manually deploy Guacamole under your own install of Apache Tomcat or JBoss, rather than use the provided version of Tomcat.
  • You are maintaining a deployment of Glyptodon Enterprise that was originally installed before the 2.5 release (2021-09-16).

You will instead need to manually restart your install of Tomcat:

$ sudo systemctl restart tomcat