On Thu, May 14, 2020 at 5:38 AM Sven Specker <[email protected]> wrote:
> Hi! > > We are setting up guacamole 1.1.0 to be a RDP-based dispatcher for > virtual Linux desktops. > > The setup would be > > 1 balancing connection group with x servers, each allowing 2 connections > and 1/user. Pretty straightforward. > > And since it is the only defined group, I assume, it would automatically > connect me to one of the servers in the group after login. > > I read up on the ldap-auth and was suprised that I either have to extend > my ldap-server with a schema or basically have to add a user in the > database. > > Authenticating with LDAP does not require any changes to your LDAP directory. Storing the connections themselves within LDAP does require schema extensions to your directory. This is fairly normal - if you want to store something other than the default LDAP attributes in LDAP, you have to extend the schema. The Guacamole schema extensions are minimally invasive. > Two questions regarding that: > > - Maybe I missed it, but can I auto-add users from LDAP to the DB? > > No; however, you also do not necessarily need to add all of the users to the database. You could, instead, add a group to the database that matches a group in LDAP, and assign the permissions to the group. Users who match that group from any other modules, including LDAP, should get access to the connections. Keep in mind that, if you go this route you will need to specify the ldap-group-base-dn in your guacamole.properties file so that the LDAP extension actually looks at group membership. > - Is it possible to make connections in a defined connection group > accessible by "successfully authenticated" users? > > Not exactly as stated, but if you're using AD you could use "Domain Users" or something like that with the point above and that should cover pretty much everyone. > Of course, I can write a little program that syncs all of my roughly 60k > accounts in the guacamole database and then set the connection > permissions....but for some reason, I consider that a bit of a overkill, > even though the program would be trivial. > > Should not be necessary. -Nick
