On Fri, May 15, 2020 at 10:15 AM Carlos Al. <[email protected]> wrote:
> Hello: > > We are using guacamole and we think it is fantastic. Thank you developers > for the great work. > > We need the ldap server just for authentication, and the database for > everything else (user settings, groups, connections, etc) with the > correspondent users created. > > We cannot modify the ldap server, we can only use it to authenticate our > users (about 500). And our ldap admin is not very happy because every time > a > user logs in, guacamole makes a huge search in the ldap server (which has > over 50,000 users). > > Is there anything I can do to remove or restrict this search? It seems that > when a user logs, guacamole tries to find if that user is a ldap admin with > a search like this: > > Yes, you can use both the ldap-user-base-dn and the ldap-user-search-filter to restrict how broad the LDAP searches are. You can also use ldap-user-attributes to restrict what attributes are pulled from LDAP (by default it should be pretty small). All of these options are documented here: http://guacamole.apache.org/doc/gug/ldap-auth.html For group searches, the current version (1.1.0) does not support any group search filters, but work is being done on that to integrate it into an upcoming version. For the time being you can restrict the base DN of group searches, though, which should help limit the LDAP query load. If things are still problematic one of the things I have done in the past is to use OpenLDAP as a caching LDAP server that proxies in front of another LDAP server to reduce the overall load. You should still be able to pass through authentication and such, but have some of the results coming back from the upstream server cached. -Nick
