Under the current version you, unfortunately, do not have any options inside Guacamole itself to accomplish this. The way I can think of at this point would be to use OpenLDAP with the Meta or Proxy back-end, and have OpenLDAP present both directory trees under a single server/tree to Guacamole. That's not the ideal solution and we certainly want to get Guacamole to the point where it can handle multiple trees in the same config, but it will work. I've used the Meta backend before, and it allows you to take two directory trees - say dc=ad1,dc=com and dc=ad2,dc=com - and combine them in such a way that ad1 appears at dc=ad1,dc=ldap,dc=com and ad2 at dc=ad2,dc=ldap,dc=com. You can then query the OpenLDAP instance at the dc=ldap,dc=com level and it will traverse both trees. IIRC, it's also smart enough to handle passing through bind requests - so, once a user is found if dc=ad2,dc=ldap,dc=com, for example, when the bind request is sent it will translate that to the correct user on the dc=ad2,dc=com side and proxy the request. It takes a little work to get set up, but it isn't too bad. If you have both your AD trees set up in a single forest you can probably accomplish the same thing - if one is at the root and the other is a tree somewhere in the forest, I'm fairly certain you can have a LDAP server that has access to both trees. I'm not an expert on Active Directory, so I've never gone that route before and cannot speak to how it's accomplished or even for sure that it's possible, but I believe that was one of the key features behind AD was the ability to further sub-divide the domains while still maintaining some sort of top-level authority and view of the entire system. Anyway, those are a couple of ideas - like I said, unfortunately, nothing native to Guacamole at this point that will help you out. Regards,Nick
On Sunday, July 30, 2017, 8:37:37 PM EDT, James Fraser <[email protected]> wrote: #yiv9350867801 #yiv9350867801 -- _filtered #yiv9350867801 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv9350867801 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv9350867801 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv9350867801 #yiv9350867801 p.yiv9350867801MsoNormal, #yiv9350867801 li.yiv9350867801MsoNormal, #yiv9350867801 div.yiv9350867801MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv9350867801 a:link, #yiv9350867801 span.yiv9350867801MsoHyperlink {color:blue;text-decoration:underline;}#yiv9350867801 a:visited, #yiv9350867801 span.yiv9350867801MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv9350867801 p.yiv9350867801msonormal0, #yiv9350867801 li.yiv9350867801msonormal0, #yiv9350867801 div.yiv9350867801msonormal0 {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801 p.yiv9350867801msonormal, #yiv9350867801 li.yiv9350867801msonormal, #yiv9350867801 div.yiv9350867801msonormal {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801 p.yiv9350867801msochpdefault, #yiv9350867801 li.yiv9350867801msochpdefault, #yiv9350867801 div.yiv9350867801msochpdefault {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801 span.yiv9350867801msohyperlink {}#yiv9350867801 span.yiv9350867801msohyperlinkfollowed {}#yiv9350867801 span.yiv9350867801emailstyle17 {}#yiv9350867801 p.yiv9350867801msonormal1, #yiv9350867801 li.yiv9350867801msonormal1, #yiv9350867801 div.yiv9350867801msonormal1 {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;}#yiv9350867801 span.yiv9350867801msohyperlink1 {color:#0563C1;text-decoration:underline;}#yiv9350867801 span.yiv9350867801msohyperlinkfollowed1 {color:#954F72;text-decoration:underline;}#yiv9350867801 span.yiv9350867801emailstyle171 {color:windowtext;}#yiv9350867801 p.yiv9350867801msochpdefault1, #yiv9350867801 li.yiv9350867801msochpdefault1, #yiv9350867801 div.yiv9350867801msochpdefault1 {margin-right:0cm;margin-left:0cm;font-size:11.0pt;}#yiv9350867801 span.yiv9350867801EmailStyle29 {color:windowtext;}#yiv9350867801 .yiv9350867801MsoChpDefault {font-size:10.0pt;} _filtered #yiv9350867801 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv9350867801 div.yiv9350867801WordSection1 {}#yiv9350867801 Hi Nick Thanks for your response, I have just built 0.9.13 and setting up a couple of AD domains, just chasing a bit of guidance of how to target the two different directories if its possible. Cheers James Fraser • Microsoft Systems Engineer From: Nick Couchman [mailto:[email protected]] Sent: Monday, 31 July 2017 9:59 AM To: [email protected] Subject: Re: Guac 0.9.13 James, The LDAP filtering is possible as of the as-yet-unreleased 0.9.13-incubating version of Guacamole. Hopefully that'll be released, soon, maybe even sometime this week. Don't quote me on that, but I know the process to get the release approved is moving along right now, so it shouldn't be too long. The multiple directory lookup has *not,* yet, been incorporated. I can't remember if there's a separate JIRA issue for that one - I feel like there is - if not, you should definitely open one so we can track status on that. Regards, Nick On Sunday, July 30, 2017, 7:04:03 PM EDT, James Fraser <[email protected]> wrote: I have been reviewing 0.9.13 In particular https://issues.apache.org/jira/browse/GUACAMOLE-101 I am curious if this is now possible? Is it potentially possible to lookup between multiple directories? James Fraser • Microsoft Systems Engineer
