On Mon, Oct 20, 2025 at 11:00 AM Tony Guadagno <[email protected]> wrote:
> I have Guacamole working and am really happy with it generally. One think > I am used to on my legacy application was the ability to assign connections > based on group membership. I think you support this now with LDAP but I am > using RADIUS for authentication. > > > > My question is; is there a way to assign group authorization via RADIUS > directly or as a secondary lookup via LDAP (so keeping RADIUS for > authentication but using LDAP for authorization). > > > Unfortunately, no - there are two limitations in this case that prevent the use of groups with that configuration: * The RADIUS module currently does not support pulling group membership and delivering that via a RADIUS attribute to the Guacamole client. I looked into this at a couple of times in the past and hit a couple of roadblocks that have kept me from pursuing it. The first was that RADIUS lacks a standard way to handle this kind of information transfer. This wasn't an insurmountable issue, just a difficulty - since there's no standard, it would be very implementation specific to Guacamole, which would likely require admins seeking this functionality to also have control over and perform significant configuration on the RADIUS server. The second is that one of the most common RADIUS servers in use today, Windows NPS, does not appear to support any way of dynamically gathering user groups and providing those to the client. It allows to checking membership in a specific group and then set a custom RADIUS attribute based on that membership, but the implications for any sort of scalable configuration are not good - essentially, for each group you'd want to check in AD, you'd have to create a rule on the NPS system and set a custom attribute. I suspect other RADIUS servers - like FreeRADIUS, which is exceedingly configurable - can actually handle this, but then this goes back to the previous issue of there not being any standard and having to basically define our own way to do it. * The LDAP module has a particular, and intentionally-designed, way of working, that isn't compatible with this use-case. The initial search for the LDAP user is done with the configured search credentials, but, after that, the LDAP connection is re-bound with the credentials of the user logging in. This allows us to leverage the LDAP directory security, limiting access by Guacamole into the LDAP tree to the permissions granted to the user logging in to Guacamole, rather than whatever permissions the search DN may (or may not) have. The trade-off for this is that "secondary data" in the LDAP module, like group membership or connection information, cannot be leveraged unless the LDAP module actually authenticates the user who is logging in, because those credentials are the only ones that are used to access LDAP after using the user. In short, you cannot currently use the LDAP module for authorization if you do not first use it for authentication. -Nick >
