A few things I found to help set this up. First, the user you use for ldap-search-bind-dn MUST have the ability to read other AD users and groups.
Next, I log in using the default/local Guacamole admin and create a new user. This will be the first AD/LDAP user you want to have admin rights over Guacamole. So, if for example you have an AD account thats admin, you likely want to use that as your admin account for Guac too. You simply create a new user, give them the same exact name as its AD/LDAP counter part and then do nothing else than check off all of the permissions boxes and hit save. Log out and then login with that AD account. Presuming it works, you should now see all the AD users under the parameters you provided in guacamole.properties. You wont have to create (within Guac) users for other admins, you simply go to the user in guac and give them admin rights by checking off the boxes in guac for it. When they sign in, they should have admin rights like your account does. Presuming it all works, I would recommend: - Create another local admin account with a different name than the default and a secure password. This account should not match any account in AD/LDAP...make it unique. - Disable (or I prefer deleting) the default guac admin account. Lastly, I found ADExplorer to be very helpful for navigating, understanding and testing stuff around in a Windows AD server. It allows me to more easily navigate the AD/LDAP structure, shows full paths in cn=,ou=,dc=,dc= syntax and allows creating/testing queries, etc. Great tool. Hope this helps. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
