On Fri, Apr 3, 2020 at 9:44 AM Jason Keltz <[email protected]> wrote:
> Hi. > > I have a few questions I was hoping someone might be able to help me with: > > 1) Although I have my Guacamole install retrieving users from my Samba4 > AD server, it does not retrieve the "Full Name" field. As a result, on > the "Users" screen, the Full Name field is empty. Is this the expected > behaviour? or can I somehow tell Guacamole to retrieve the "displayName" > field from the LDAP? > > At present I do not believe that the LDAP extension maps through any of the LDAP fields into display fields in the UI. This is probably worth considering a JIRA issue for as an improvement - it should be relatively easy to do. Just not implemented today :-). > 2) My Samba AD users are importing into Guacamole, but not the Samba AD > groups. Can I add the groups as well? > > Well, Guacamole doesn't really "import" anything from LDAP - it will display the information from LDAP that the user who logs in has access to, and you can relatively easily create users in JDBC from users in LDAP provided you have admin access on the JDBC side. However, it does "map" both users and groups between the various authentication modules, so if you have a user in LDAP named the same as a user in JDBC, you can assign permissions in JDBC and those will apply to the LDAP login. The same is true of groups - if you create a group in the JDBC module and assign it permissions, a matching group in LDAP will get those permissions. Hopefully this makes sense. > 3) Right now, I have the Guacamole front-end setup, and working. Now, > I'm concerned about scaling. I have potentially 300 workstations I can > make available through Guacamole. One server can't handle that load > (it's an 8 core VM with 16 GB and a 2Gb/s network link!). It's not > really clear to me how much load each client imposes at a max. I > can't seem to find any information on load balancing between multiple > Guacamole servers? I wonder if I simply setup the hostname to have > multiple IPs, each IP is a different guac server, and the DNS round > robins them if that's enough? Or can multiple servers connect to the > same MySQL DB. > > This is a widely-asked question, with a complicated answer. First, you should be able to put any/all of the components behind a load balancer and, provided you have configured the load balancer correctly (more on that in a minute), all of the components should work fine behind a load balancer. So, you can put the Guacamole Client (Tomcat) servers behind a web load balancer and it can hand out connections to each of those, and there is no functional issue, there. You can also put guacd systems behind a load balancer and have it handle assignment of the web connections to particular guacd instances, and that should work okay. There are, however, a couple of caveats... - When I say the load balancer needs to be configured correctly, I mean that it should be persisting sessions in such a way that a client (either Web Browsers -> Tomcat or Tomcat -> guacd) doesn't get swapped around among various back-end components. If the load balancer moves a client from one back-end component to another, you'll see very odd problems and bad behavior. So, you'll want persistent (maybe based on source IP + Port hashing or something like that) that insures that clients get relatively consistently connected to the same Tomcat instance, and that the same Tomcat instance gets relatively consistently connected to the same guacd instance. - While all of the components will functionally work behind a load balancer, there are a couple of things you'll miss or notice, particularly with the web client. The biggest issue has to do with active session tracking and the fact that, today, there is no mechanism for synchronizing active sessions across multiple web application server (Tomcat) instances. This may not matter to you, but the one case where it can matter a lot is if you're relying on the functionality within Guacamole Client to limit the number of simultaneous (either per-user or total) sessions connected to a particular connection. If you're load-balancing across multiple Guacamole Client servers these limits will, essentially, be meaningless - there is currently no way for Guacamole Client to enforce these limits or reliably compute the actual active number of sessions across multiple instances. The other place where this might have an impact is if you are using the Connection Sharing feature - when you go to share a connection, there would be no way to insure that the user who gets the connection sharing link gets connected to both a Guacamole Client session and the subsequent guacd session where the connection is actually running, so you'd more or less lose that functionality. Hopefully that helps and makes sense as to what is possible today. There is a JIRA issue out there to improve HA/Load Balancing support, it just hasn't had much attention: https://issues.apache.org/jira/browse/GUACAMOLE-283 -Nick
