Keeper Connection Manager
Search…
Overview
Installation
Authentication
Authenticating Users with SAML
Authenticating Users with OpenID Connect
Authenticating users with LDAP
Storing connection data within LDAP
Using LDAP with a database
Using Multiple LDAP Servers
Using Keeper Connection Manager with a MySQL Database
Using Keeper Connection Manager with a PostgreSQL Database
Using Guacamole with a SQL Server Database
Supported Protocols
Using Keeper Connection Manager
Vault Integration
Security
Advanced Configuration
Troubleshooting
Changelog
Licensing and Open Source
Scope of Support
Security Advisories
Accessibility Conformance
Powered By GitBook
Using Multiple LDAP Servers
​
If your Active Directory or LDAP deployment spans multiple servers, Guacamole can be configured to use each of your LDAP servers using ldap-servers.yml, a configuration file similar to guacamole.properties and located within /etc/guacamole. When a user authenticates with a Guacamole instance configured to use multiple LDAP servers, each configured LDAP server is tried, in order, until authentication succeeds. Authentication fails only if none of the defined LDAP servers accept the user's provided credentials.
When ldap-servers.yml is used, the values within guacamole.properties still have meaning, but instead serve as defaults for the LDAP servers defined in ldap-servers.yml.

Overview of ldap-servers.yml

The ldap-servers.yml file contains a single YAML list of LDAP servers, with each server definition consisting of a simple list of configuration properties and values. These configuration properties are identical to the LDAP properties available within guacamole.properties except that the "ldap-" prefix is omitted.
For example, a simple ldap-servers.yml that defines two LDAP servers that may be used to authenticate users would contain the following:
1
- hostname: server1.example.net
2
user-base-dn: OU=Users,DC=example,DC=net
3
username-attribute: sAMAccountName
4
search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
5
search-bind-password: SomePassword!
6
​
7
- hostname: server2.example.net
8
user-base-dn: OU=Users,DC=example,DC=net
9
username-attribute: sAMAccountName
10
search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
11
search-bind-password: SomePassword!
Copied!
When a user attempts to log in, Guacamole will attempt to authenticate the user against the first defined LDAP server (server1.example.net). If that fails, Guacamole will proceed with the next (server2.example.net), and so on. Only if authentication fails against all defined LDAP servers will authentication against LDAP fail overall.

Abbreviating common LDAP parameters

Since the only property that varies between the two servers in the above example is the hostname, and since guacamole.properties serves as the source of default values when ldap-servers.yml is used, the configuration details common to all servers would be better specified within guacamole.properties:
1
ldap-user-base-dn: OU=Users,DC=example,DC=net
2
ldap-username-attribute: sAMAccountName
3
ldap-search-bind-dn: CN=Guacamole,OU=Services,DC=example,DC=net
4
ldap-search-bind-password: SomePassword!
Copied!
The contents of ldap-servers.yml can then be reduced to only the hostnames:
1
- hostname: server1.example.net
2
- hostname: server2.example.net
Copied!

Splitting users across multiple LDAP servers

LDAP servers listed within ldap-servers.yml may optionally be restricted to only certain users with the "match-usernames" option. This option accepts both a single string and an array of strings, where each string is a Perl-compatible regular expression. Additionally, if the regular expression includes a capturing group, the contents of the first capturing group will be used as the username representing the user's Guacamole identity.
For example, to define two LDAP servers covering distinct domains, splitting usage of those LDAP servers by whether the user enters their username as "DOMAIN1\username" or "DOMAIN2\username", you would edit your ldap-servers.yml to contain something like the following:
1
- hostname: domain1.example.net
2
user-base-dn: OU=Users,DC=domain1,DC=example,DC=net
3
match-usernames: DOMAIN1\\(.*)
4
​
5
- hostname: domain2.example.net
6
user-base-dn: OU=Users,DC=domain2,DC=example,DC=net
7
match-usernames: DOMAIN2\\(.*)
Copied!
Each of the LDAP servers defined above will only be used if their corresponding regular expression matches the username specified by the user. Since each of the regular expressions in the above example define a capturing group around the username component of the "DOMAIN\username" format, that portion of the provided username will be used to determine the user's identity. If a user successfully authenticates as "DOMAIN1\myusername", then:
If there are multiple username formats that need to be accepted by each LDAP server, multiple regular expressions may be specified. For example, to match both "MYDOMAIN\myusername" and the UPN-style "[email protected]" formats, you would specify:
1
- hostname: domain1.example.net
2
user-base-dn: OU=Users,DC=domain1,DC=example,DC=net
3
match-usernames:
4
- DOMAIN1\\(.*)
5
- (.*)@domain1\.example\.net
6
​
7
- hostname: domain2.example.net
8
user-base-dn: OU=Users,DC=domain2,DC=example,DC=net
9
match-usernames:
10
- DOMAIN2\\(.*)
11
- (.*)@domain2\.example\.net
Copied!
Previous
Using LDAP with a database
Next
Using Keeper Connection Manager with a MySQL Database
Last modified 6mo ago
Export as PDF
Copy link
Contents
Overview of ldap-servers.yml
Abbreviating common LDAP parameters
Splitting users across multiple LDAP servers