That link is for a 2013 discussion, is there any more current discussion.
We are currently running Guac v1.0.0 on a Cent OS 7 Virtual machine
(ESXI6.7) with 4 processors 8 Gig ram and a 100 gb hard drive.
We currently have 32 simultaneous users (Just checked “currently
logged on”) our resources are sitting at 940MHz CPU – 409 MB memory
and 50.8 GB hard drive.
Our current system consists of the Guac system and 30 installed and
running Win 7 desktops on one server and a “sister” server that holds
about 40 more virtual Win 7 desktops.
Along with the virtual users, who connect from all over the world, we
have about 30 “potential” users that occasionally connect through
Guacamole to their physical Windows 10 systems here in the local office.
All of our users log into their virtual desktops to run an IBM ACS
green screen emulator for data entry into an IBM Power system.
As well as running Chrome on their virtual desktops for data lookup.
We have been asked to increase our setup by “up to” 100 more users. I
am hoping that we can get away with just adding drive space and memory
to the “sister” server. As the OP was wondering how many simultaneous
users you can run, I also would like to know if we will need to set up
a second Guac server to accomplish our required task.
*From:*Adrian Owen <[email protected]>
*Sent:* Tuesday, March 3, 2020 10:36 AM
*To:* [email protected]; Stewart Alexander
<[email protected]>
*Subject:* RE: How many users can use Guacamole simultaneously?
https://sourceforge.net/p/guacamole/discussion/1110834/thread/666f7a9f/
*From:*Stewart Alexander [mailto:[email protected]]
*Sent:* 03 March 2020 12:47
*To:* [email protected] <mailto:[email protected]>
*Subject:* How many users can use Guacamole simultaneously?
Hi all,
Does anyone know how many users can login through Guacamole
simultaneously?
What are the bottlenecks?
Thank you,
Stewart Alexander
------ Original Message ------
From: "Fabio Corsi" <[email protected]
<mailto:[email protected]>>
To: [email protected] <mailto:[email protected]>
Sent: 3/2/2020 5:01:07 PM
Subject: Re: ldap-user-search-filter problem
CAUTION: This email originated from outside your organization.
Exercise caution when opening attachments or clicking links,
especially from unknown senders.
Hi,
I was wondering if anyone could provide some insight on this issue.
To recap my previous message I have a ldap-user-search-filter set to
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
however any valid LDAP user is allowed to login on the Guacamole
web page.
My configuration: Guacamole 1.1.0, Ubuntu 18.04, openLDAP
(libldap-2.4-2:amd64) on a separate Ubuntu 18.04 VM.
since my first message I’ve done some additional investigation
into the problem.
By looking at the logs on my LDAP server I can see that the
filters are passed on to the LDAP server and they do return the
correct number of entries.
There are a couple of things that seem strange to me:
* Not sure why the "(|(uid=*)) clause is added to the main group
filter defined in my configuration
* For the user in the guacusers group the SeeAlso seems to
expand to all the object of class groupOfNames in my directory
Here are the log entries for the user that is in the guacusers group:
slapd[904]: conn=9470 fd=48 ACCEPT from IP=10.16.33.12:52422
(IP=0.0.0.0:389)
slapd[904]: conn=9470 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9470 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain"
mech=SIMPLE ssf=0
slapd[904]: conn=9470 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9470 op=1 SRCH
base="ou=groups,dc=my,dc=domain" scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9470 op=1 SEARCH RESULT tag=101 err=0
nentries=5 text=
slapd[904]: conn=9470 fd=48 closed (connection lost)
slapd[904]: conn=9471 fd=48 ACCEPT from IP=10.16.33.12:52424
(IP=0.0.0.0:389)
slapd[904]: conn=9471 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9471 op=0 BIND
dn="uid=user_in_guacusers,ou=users,dc=my,dc=domain"
mech=SIMPLE ssf=0
slapd[904]: conn=9471 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9471 op=1 SRCH
base="ou=users,dc=my,dc=domain" scope=2 deref=0
filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9471 op=1 SEARCH RESULT tag=101 err=0
nentries=6 text=
slapd[904]: conn=9471 op=2 SRCH
base="ou=groups,dc=my,dc=domain" scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9471 op=2 SEARCH RESULT tag=101 err=0
nentries=46 text=
slapd[904]: conn=9471 op=3 SRCH
base="ou=groups,dc=my,dc=domain" scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=3 SEARCH RESULT tag=101 err=0
nentries=5 text=
slapd[904]: conn=9471 op=4 SRCH
base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0
filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_in_guacusers,ou=users,dc=my,dc=domain)(seeAlso=cn=group1,ou=groups,dc=my,dc=domain)(seeAlso=cn=group2,ou=groups,dc=my,dc=domain)(seeAlso=cn=group3,ou=groups,dc=my,dc=domain)(seeAlso=cn=group4,ou=groups,dc=my,dc=domain)(seeAlso=cn=guacusers,ou=groups,dc=my,dc=domain)))"
slapd[904]: conn=9471 op=4 SEARCH RESULT tag=101 err=0
nentries=1 text=
And for the user that is not in the guacusers group:
slapd[904]: conn=9478 fd=88 ACCEPT from IP=10.16.33.12:52430
(IP=0.0.0.0:389)
slapd[904]: conn=9478 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9478 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain"
mech=SIMPLE ssf=0
slapd[904]: conn=9478 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9478 op=1 SRCH
base="ou=groups,dc=my,dc=domain" scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9478 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
slapd[904]: conn=9478 fd=88 closed (connection lost)
slapd[904]: conn=9479 fd=88 ACCEPT from IP=10.16.33.12:52432
(IP=0.0.0.0:389)
slapd[904]: conn=9479 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain" method=128
slapd[904]: conn=9479 op=0 BIND
dn="uid=user_not_in_guacusers,ou=users,dc=my,dc=domain"
mech=SIMPLE ssf=0
slapd[904]: conn=9479 op=0 RESULT tag=97 err=0 text=
slapd[904]: conn=9479 op=1 SRCH
base="ou=users,dc=my,dc=domain" scope=2 deref=0
filter="(&(&(objectClass=person)(memberOf=cn=guacusers,ou=groups,dc=my,dc=domain))(|(uid=*)))"
slapd[904]: conn=9479 op=1 SEARCH RESULT tag=101 err=0
nentries=6 text=
slapd[904]: conn=9479 op=2 SRCH
base="ou=groups,dc=my,dc=domain" scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(cn=*)))"
slapd[904]: conn=9479 op=2 SEARCH RESULT tag=101 err=0
nentries=46 text=
slapd[904]: conn=9479 op=3 SRCH
base="ou=groups,dc=my,dc=domain" scope=2 deref=0
filter="(&(!(objectClass=guacConfigGroup))(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=3 SEARCH RESULT tag=101 err=0
nentries=0 text=
slapd[904]: conn=9479 op=4 SRCH
base="ou=guac_config,dc=my,dc=domain" scope=2 deref=0
filter="(&(objectClass=guacConfigGroup)(|(member=uid=user_not_in_guacusers,ou=users,dc=my,dc=domain)))"
slapd[904]: conn=9479 op=4 SEARCH RESULT tag=101 err=0
nentries=0 text=
And this is my full configuration file:
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
#skip-if-unavailable: mysql, ldap
api-session-timeout: 15
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter:
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=my,dc=domain))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: MySecret
Thanks,
Fabio
On Feb 25, 2020, at 10:46, Fabio Corsi
<[email protected]
<mailto:[email protected]>> wrote:
We're using openLDAP (libldap-2.4-2:amd64) on a separate
Ubuntu 18.04 installation.
Many thanks,
Fabio
On Feb 24, 2020, at 22:57, Mike Jumper <[email protected]
<mailto:[email protected]>> wrote:
On Mon, Feb 24, 2020, 19:52 Fabio Corsi
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
I’ve a fresh install of Guacamole 1.1.0 on Ubuntu
18.0.4 Server.
I have the LDAP extension installed (along with the
MySQL one) and I’ve defined connections directly into
LDAP.
Everything works just fine, users are authenticated
and are allowed the proper connections, however I
would like to allow only users MemberOf a one LDAP
group (e.g. guacusers) to login to my Guacamole site.
I’m using ldap-user-search-filter, but it does not
seem to work. As of now any active users in my LDAP
directory can login into the Guacamole site.
No connections are displayed for the users that I
would like to disallow, but nevertheless they can
still login...
This is the LDAP configuration in my
guacamole.properties
<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fguacamole.properties&c=E,1,E8cBBI4_vdYlMnL8xX-O_ehFfvRAlR9c2oz1h0iY4s3lZ_2UFsjyvQ1hDs_Pk46WxCb8Ahl2ZPjzLWyNQTjO8Ct18O1NBHKGKM6iMBOV8ksJlE5VdPND&typo=1>
# LDAP properties
ldap-hostname: configserver.my.domain
ldap-port: 389
ldap-user-base-dn: ou=users,dc=my,dc=domain
ldap-username-attribute: uid
ldap-user-search-filter:
(&(objectClass=person)(memberof=cn=guacusers,ou=groups,dc=asrc,dc=crossroads))
ldap-config-base-dn: ou=guac_config,dc=my,dc=domain
ldap-group-base-dn: ou=groups,dc=my,dc=domain
And I have previously used this same configuration
some time back when I was testing version 0.9.14 and
it seemed to be working...
Note that if I run the same filter on my LDAP server,
e.g.:
ldapsearch -x -LLL -Hldap:///-b
"ou=users,dc=my,dc=domain" -s sub
"(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)”
I get the expected result….
I’ve also tried adding other specifiers to the filter,
like
(memberof=cn=guacusers,ou=groups,dc=my,dc=domain)
they all work when I query the LDAP server
with ldapsearch, but don’t seem to have any effect
when I use them in Guacamole.
What LDAP server is being used?
- Mike
------------------------------------------------------------------------
The information contained in this message is intended only for the
recipient, and may be a confidential attorney-client communication or
may otherwise be privileged and confidential and protected from
disclosure. If the reader of this message is not the intended
recipient, or an employee or agent responsible for delivering this
message to the intended recipient, please be aware that any
dissemination or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately
notify us by replying to the message and deleting it from your
computer. S&P Global Inc. reserves the right, subject to applicable
local law, to monitor, review and process the content of any
electronic message or information sent to or from S&P Global Inc.
e-mail addresses without informing the sender or recipient of the
message. By sending electronic message or information to S&P Global
Inc. e-mail addresses you, as the sender, are consenting to S&P Global
Inc. processing any of your personal data therein.
