Under the current version you, unfortunately, do not have any options inside
Guacamole itself to accomplish this. The way I can think of at this point
would be to use OpenLDAP with the Meta or Proxy back-end, and have OpenLDAP
present both directory trees under a single server/tree to Guacamole. That's
not the ideal solution and we certainly want to get Guacamole to the point
where it can handle multiple trees in the same config, but it will work.
I've used the Meta backend before, and it allows you to take two directory
trees - say dc=ad1,dc=com and dc=ad2,dc=com - and combine them in such a way
that ad1 appears at dc=ad1,dc=ldap,dc=com and ad2 at dc=ad2,dc=ldap,dc=com.
You can then query the OpenLDAP instance at the dc=ldap,dc=com level and it
will traverse both trees. IIRC, it's also smart enough to handle passing
through bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for
example, when the bind request is sent it will translate that to the correct
user on the dc=ad2,dc=com side and proxy the request. It takes a little work
to get set up, but it isn't too bad.
If you have both your AD trees set up in a single forest you can probably
accomplish the same thing - if one is at the root and the other is a tree
somewhere in the forest, I'm fairly certain you can have a LDAP server that has
access to both trees. I'm not an expert on Active Directory, so I've never
gone that route before and cannot speak to how it's accomplished or even for
sure that it's possible, but I believe that was one of the key features behind
AD was the ability to further sub-divide the domains while still maintaining
some sort of top-level authority and view of the entire system.
Anyway, those are a couple of ideas - like I said, unfortunately, nothing
native to Guacamole at this point that will help you out.
Regards,Nick
On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser
wrote:
#yiv9350867801 #yiv9350867801 -- _filtered #yiv9350867801
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv9350867801
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv9350867801
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv9350867801
#yiv9350867801 p.yiv9350867801MsoNormal, #yiv9350867801
li.yiv9350867801MsoNormal, #yiv9350867801 div.yiv9350867801MsoNormal
{margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv9350867801 a:link,
#yiv9350867801 span.yiv9350867801MsoHyperlink
{color:blue;text-decoration:underline;}#yiv9350867801 a:visited, #yiv9350867801
span.yiv9350867801MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}#yiv9350867801
p.yiv9350867801msonormal0, #yiv9350867801 li.yiv9350867801msonormal0,
#yiv9350867801 div.yiv9350867801msonormal0
{margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
p.yiv9350867801msonormal, #yiv9350867801 li.yiv9350867801msonormal,
#yiv9350867801 div.yiv9350867801msonormal
{margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
p.yiv9350867801msochpdefault, #yiv9350867801 li.yiv9350867801msochpdefault,
#yiv9350867801 div.yiv9350867801msochpdefault
{margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
span.yiv9350867801msohyperlink {}#yiv9350867801
span.yiv9350867801msohyperlinkfollowed {}#yiv9350867801
span.yiv9350867801emailstyle17 {}#yiv9350867801 p.yiv9350867801msonormal1,
#yiv9350867801 li.yiv9350867801msonormal1, #yiv9350867801
div.yiv9350867801msonormal1
{margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv9350867801
span.yiv9350867801msohyperlink1
{color:#0563C1;text-decoration:underline;}#yiv9350867801
span.yiv9350867801msohyperlinkfollowed1
{color:#954F72;text-decoration:underline;}#yiv9350867801
span.yiv9350867801emailstyle171 {color:windowtext;}#yiv9350867801
p.yiv9350867801msochpdefault1, #yiv9350867801 li.yiv9350867801msochpdefault1,
#yiv9350867801 div.yiv9350867801msochpdefault1
{margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801
span.yiv9350867801EmailStyle29 {color:windowtext;}#yiv9350867801
.yiv9350867801MsoChpDefault {font-size:10.0pt;} _filtered #yiv9350867801
{margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv9350867801
div.yiv9350867801WordSection1 {}#yiv9350867801
Hi Nick
Thanks for your response, I have just built 0.9.13 and setting up a couple of
AD domains, just chasing a bit of guidance of how to target the two different
directories if its possible.
Cheers
James Fraser • Microsoft Systems Engineer
From: Nick Couchman [mailto:nick.couch...@yahoo.com]
Sent: Monday, 31 July 2017 9:59 AM
To: user@guacamole.incubator.apache.org
Subject: Re: Guac 0.9.13
James,
The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating
version of Guacamole. Hopefully that'll be released, soon, maybe even sometime
this week. Don't quote me on that, but I know the process to get the release
approved is moving along right now, so it shouldn't be too long.
The