Thanks Nick—I got this working using your second method by not sending a 'guacConfigParameter' object at all, but just returning the group name as the cn. I also had to add LDAP_GROUP_BASE_DN into the guacamole configuration. I do still see a warning in the logs about a missing required attribute:
09:55:37.571 [http-nio-8080-exec-3] WARN o.a.g.a.l.c.ConnectionService - guacConfigGroup "test" is missing the required "guacConfigProtocol" attribute. But that doesn't seem to stop the authentication working. On Fri, 17 May 2024 at 02:33, Nick Couchman <[email protected]> wrote: > On Wed, May 15, 2024 at 6:20 AM David Lomas <[email protected]> > wrote: > >> Hi, >> >> I've set up a balancing group in Guacamole which contains 3 test >> connections to individual machines. If I create test users in the web >> interface and assign them to the group (but _not_ to individual >> connections), I can see the balancing working—when each user logs in, they >> are assigned to an available connection. >> >> > If you're setting up a balancing group, then this means that you're using > the JDBC (DB) extension for storing connections, correct? > > >> But how can I 'target' a user who is authenticated via LDAP to this >> connection group? The documentation shows how to return a connection to a >> specific machine as part of the guacConfigParameter object (hostname: xyz, >> etc.) but I couldn't find anything about returning a connection group >> there. Is this possible? Is there some documentation I've missed? >> >> > There are two ways to do this: > * You can create a user account in the database that has the same user > name (generally case-sensitive) as the LDAP user, and assign permission for > a connection or connection group to the user. Note that this can also be > largely automated by enabling the auto account-creation capability. See: > https://guacamole.apache.org/doc/gug/ldap-auth.html#associating-ldap-with-a-database > , > https://guacamole.apache.org/doc/gug/jdbc-auth.html#auto-creating-database-users > * Instead of doing this based on username, you can do this with user > groups - if you enable group searching in LDAP, you can assign the > permissions to the groups, and, as long as the groups in the database have > the same name as the LDAP groups, Guacamole will associate those > permissions. > > -Nick >
