GUAC-1388: Document configuration and effect of RBAC for LDAP.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/commit/ae27e533 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/tree/ae27e533 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/diff/ae27e533 Branch: refs/heads/master Commit: ae27e5339ce1b451d9ae0a439a94b0feb5bc63b9 Parents: 2bf5e66 Author: Michael Jumper <[email protected]> Authored: Fri Jan 22 09:22:53 2016 -0800 Committer: Michael Jumper <[email protected]> Committed: Fri Jan 22 09:22:53 2016 -0800 ---------------------------------------------------------------------- src/chapters/ldap-auth.xml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/blob/ae27e533/src/chapters/ldap-auth.xml ---------------------------------------------------------------------- diff --git a/src/chapters/ldap-auth.xml b/src/chapters/ldap-auth.xml index c04bace..92ebcb3 100644 --- a/src/chapters/ldap-auth.xml +++ b/src/chapters/ldap-auth.xml @@ -39,7 +39,7 @@ Guacamole connection is represented within the directory as a special type of group: <classname>guacConfigGroup</classname>. Attributes associated with the group define the protocol and parameters of the connection, and users are allowed access to the - connection only if they are members of that group.</para> + connection only if they are associated with that group.</para> <para>This architecture has a number of benefits:</para> <orderedlist> <listitem> @@ -112,9 +112,11 @@ modifications to the LDAP schema are made through applying one of the provided schema files. These schema files define an additional object class, <classname>guacConfigGroup</classname>, which contains all configuration information - for a particular connection, and can be associated with arbitrarily-many users. Only - users which are members of a connection's group will have access to that - connection.</para> + for a particular connection, and can be associated with arbitrarily-many users and + groups. Each connection defined by a <classname>guacConfigGroup</classname> will be + accessible only by users who are members of that group (specified with the + <property>member</property> attribute), or who are members of associated groups + (specified with the <property>seeAlso</property> attribute).</para> <important> <para>The instructions given for applying the Guacamole LDAP schema changes are specific to OpenLDAP, but other LDAP implementations, including Active Directory, will have @@ -355,8 +357,21 @@ dn: cn={4}guacConfigGroup,cn=schema,cn=config in.</para> <para>Each configuration is analogous to a connection. Within Guacamole's LDAP support, each configuration functions as a group, having user - members, where each member of a particular configuration group will have - access to that configuration.</para> + members (via the <property>member</property> attribute) and optionally + group members (via the <property>seeAlso</property> attribute), where + each member of a particular configuration group will have access to the + connection defined by that configuration.</para> + </listitem> + </varlistentry> + <varlistentry> + <term><property>ldap-group-base-dn</property></term> + <listitem> + <para>The base of the DN for all groups that may be referenced within + Guacamole configurations using the standard <property>seeAlso</property> + attribute. All groups which will be used to control access to Guacamole + configurations must be descendents of this base DN. <emphasis>If this + property is omitted, the <property>seeAlso</property> attribute will + have no effect on Guacamole configurations.</emphasis></para> </listitem> </varlistentry> </variablelist>
