On Fri, Sep 28, 2018 at 7:48 AM <[email protected]> wrote: > We use LDAP to allow our users into our Guacamole application. Now, we > are allowing 1 or 2 users to be administrators on the system, so we check > the “Administer the System” checkbox in their user profile. The next time > that this person logs in, and goes to the Users section under Settings, > they can see ALL of the LDAP users. > > > > So, we made a group on our LDAP server and added a few users to it, then > changed the ldap-group-base-dn to (what we thought) filter the scope to > only be members of the group, as follows: > > > > ldap-group-base-dn:cn=sdsusers,cn=groups,cn=accounts,dc=example,dc=com >
> > However, after restarting everything, the user can still see ALL users in > the LDAP. So how can we filter it down to only show the users in the > sdsusers group that we have in our LDAP? > This property sets the base in the LDAP tree that the LDAP authentication module will use to search for LDAP Groups. It will not change what users the LDAP authentication module searches for, nor does it restrict users of Guacamole to the group specified there - it simply changes where groups are read from. One of the important things about the LDAP module is that it relies on the security built-in to LDAP to restrict access to connections and users. So, in your case, any user that logs in will be able to see any users that it has access to in the LDAP tree. -Nick >
