LDAP Configuration Properties
The properties listed here are only applicable if LDAP authentication is being used. Support for LDAP authentication is installed using the glyptodon-guacamole-auth-ldap package. If using the glyptodon/guacamole Docker image, support for LDAP authentication is instead configured using environment variables.
TCP connection information
The TCP connection details of the LDAP server, as well as whether encryption should be used.
ldap-hostname
localhost
The hostname/address of the LDAP server.
ldap-port
389, or 636 for LDAPS
The TCP port that the LDAP server is listening on.
ldap-encryption-method
none
The encryption method to use when communicating with the LDAP server. Valid encryption methods are:
none(for unencrypted LDAP)ssl(for LDAP over SSL/TLS, also known as LDAPS)starttls(for STARTTLS)
LDAP user / user DN description
The base DN of all Guacamole users within the LDAP directory, and the attribute which contains each user's username. If the username attribute is not part of the DN, a search DN will need to be provided, as well.
ldap-user-base-dn
N/A
The base DN beneath which all relevant LDAP users may be found. If not using a search DN, this DN must be the common portion of the DN shared by all users to which the username attribute can be added.
ldap-username-attribute
uid
The attribute which contains the user's username. For OpenLDAP, the default value of "uid" is usually correct. For Active Directory, the correct value is typically "sAMAccountName", and a search DN will be needed due to indirect mapping of the username.
LDAP user search DN
The DN and password of the user to bind as when searching for the DN of each user attempting to log in. If omitted, the DN of each user will be derived directly using the user base DN and username attribute.
ldap-search-bind-dn
The DN of the user that Guacamole should bind as when attempting to resolve the DN of an authenticating user (indirect username mapping). If omitted, the DN of each user will be derived directly from the base DN and username attribute. Note that the permissions associated with this account do not affect whether a user can see objects within the LDAP directory. Users, connections, etc. will only be visible to LDAP users if those users are granted permission to see those objects within LDAP.
ldap-search-bind-password
The password that should be provided when Guacamole binds with the given search DN in order to resolve the DN of an authenticating user.
Base DN for Guacamole connections (guacConfigGroup)
The base DN for all Guacamole connections defined directly within the LDAP directory using "guacConfigGroup" objects. The LDAP schema files for "guacConfigGroup" objects can be found within /usr/share/guacamole-auth-ldap/schema in both LDIF and .schema format. Note that storing connections directly within the LDAP directory is optional. If connections will not be stored within the directory, this base DN should not be provided.
ldap-config-base-dn
The base DN of the LDAP subtree that should be searched for connections stored directly within the directory ("guacConfigGroup" objects). If connections are not being stored within the LDAP directory (no schema changes have been applied), this property should not be specified.
Base DN for referenced user groups (seeAlso attribute)
seeAlso attribute)The base DN for all groups which may be referenced within "guacConfigGroup" objects using the "seeAlso" attribute, when granting access to a connection for an entire group of users rather than on a user-by-user basis. If omitted, the "seeAlso" attribute will have no effect on connection availability.
ldap-group-base-dn
The base DN of the LDAP directory subtree that should be searched if "guacConfigGroup" membership is specified using the "seeAlso" attribute.
LDAP search result limits
The maximum number of LDAP search results which can be returned by a single query. LDAP searches which exceed this limit will fail.
ldap-max-search-results
1000
The maximum number of LDAP search results to retrieve via a single query. By default, LDAP searches are limited to returning a maximum of 1000 entries.
Custom LDAP search filters
The search filter which should be used to retrieve a list of users from the LDAP directory. By default, a filter which matches all objects is used, and the only restriction is given through the user base DN. If you need to narrow the list of users further, the default filter can be overridden. If overriding the search filter, be sure that the filter is a valid LDAP filter, and that the filter is enclosed in a matching pair of parenthesis.
ldap-user-search-filter
(objectClass=*)
The search filter which should be used to retrieve the list of users from the LDAP directory. If a search DN is used (indirect user mapping), this filter will also restrict the users that can log into Guacamole.
LDAP aliases and referrals
Whether (and how) Guacamole should follow LDAP aliases or referrals when encountered during an LDAP query. By default, Guacamole will not dereference aliases and will not follow referrals.
ldap-dereference-aliases
never
The method that Guacamole should use to dereference LDAP aliases, if at all. Legal alias dereferencing modes are:
never(do not dereference aliases at all)searching(dereference aliases only after the search base has been found)finding(dereference aliases only when finding the search base)always(dereference aliases in all cases)
ldap-follow-referrals
false
If set to "true", referrals received from the LDAP directory will be automatically followed. By default, referrals are not followed.
ldap-max-referral-hops
5
The maximum number of referrals to follow before aborting an LDAP query. This property only has an effect if LDAP referral following is enabled. If referral following is enabled, the following performed is limited to 5 hops by default.
Last updated