Hello All, first of all my best compliments for the Guacamole project, it's really amazing, fast and secure.
I recently installed it on my company and I made it available through Apache in reverse proxy mode. I used both the ldap and the database extensions in order to authenticate users on Active Directory without modify the structure of the LDAP server. Then I stumbled on a little issue. Namely I don't wanted to make guacamole available to all the users, but only to a selected group defined inside the AD server. Being able to filter users makes the management easier, gives a better access control and at the same time bypasses an issue caused by ActiveDirectory that don't returns more than 1000 users for each ldap query (unless you use the paging method to make ldap searches). In order to add this feature, I used my git-hub account ([email protected]<mailto:[email protected]>) to download the source code of the ldap-auth module. I made a few changes to the code in order to add a new property for the guacamole.properties file: ldap-users-filter This new property allows to optionally specify a filter that is used in "AND" with the default filter in order to filter unwanted users. In my case I added a filter that list and allows only the users that belongs to the "Guacamole” Active Directory group. Example: ldap-users-filter: memberOf=CN=Guacamole,OU=Domain,DC=my,DC=lan I think this could be a simple but useful feature for the guacamole community, so I'm here to ask you if you are open to accept my modifications for the next release. NOTE: So far, I haven’t been able to open a new issue on jira about it, so I decided to write to this ML. The raw patch is attached to this mail. -- This email was Malware checked by UTM 9. http://www.sophos.com
