• Contact Us
  • Home
  • Reference

Using Apache Guacamole with OpenLDAP

Learn how to configure Apache Guacamole to use OpenLDAP for its database.

Written by Marty Heyman

Updated at July 27th, 2024

  • Quick Start
  • Installation
    Best Practices Configuration Troubleshooting Design Performance Platform
  • Maintenance
    Releases Upgrade
  • Reference
+ More

Table of Contents

To setup LDAP Using guacamole.properties Using docker variables Notes To enable LDAP To enable users

!! IMPORTANT - LDAP only works with LDAP if using a database authentication.

Apache Guacamole does support using LDAP to store its user config but that is not in scope of this article.

To setup LDAP

Using guacamole.properties

Open and edit your Apache Guacamole properties files located at guacamole/guacamole.properties

Uncomment and insert the below into your properties file

### http://guacamole.apache.org/doc/gug/ldap-auth.html
### LDAP Properties
### ldap-hostname must be EITHER a fully qualified domain name
###    or an IP address
ldap-hostname: localhost
ldap-port: 389
ldap-user-base-dn: ou=people,dc=example,dc=com
ldap-username-attribute: uid
ldap-search-bind-dn: uid=admin,ou=people,dc=example,dc=com
ldap-search-bind-password: replacewithyoursecret
ldap-user-search-filter: (memberof=cn=ldap_apacheguac,ou=groups,dc=example,dc=com)

Using docker variables

If you are setting up guacamole using a Docker container these are the commonly used environment variables. Please verify them against those used by the container you are using. As above, ldap-hostname must be EITHER a fully qualified domain name or an IP address

LDAP_HOSTNAME: localhost
LDAP_PORT: 389
LDAP_ENCRYPTION_METHOD: none
LDAP_USER_BASE_DN: ou=people,dc=example,dc=com
LDAP_USERNAME_ATTRIBUTE: uid
LDAP_SEARCH_BIND_DN: uid=admin,ou=people,dc=example,dc=com
LDAP_SEARCH_BIND_PASSWORD: replacewithyoursecret
LDAP_USER_SEARCH_FILTER: (memberof=cn=ldap_guacamole,ou=groups,dc=example,dc=com) 

Notes

  • Outside of a Docker Container, the quacamole.properties aproach should work fine. If not, PLEASE REPORT YOUR EXPERIENCES and we can help.
  • You set it either through guacamole.properties or docker variables, not both.
  • Exclude ldap-user-search-filter/LDAP_USER_SEARCH_FILTER if you do not want to limit users based on a group(s)
    • it is a filter that permits users with ldap_guacamole sample group.
  • Replace dc=example,dc=com with your LDAP configured domain for all occurances
  • Apache Guacamole does not lock you out when enabling LDAP. Your static IDs still are able to log in.
  • setting LDAP_ENCRYPTION_METHOD is disabling SSL

To enable LDAP

Restart your Apache Guacamole app for changes to take effect

To enable users

Before logging in with an LDAP user, you have to manually create it using your static ID in Apache Guacamole. This applies to each user that you want to log in with using LDAP authentication. Otherwise the user will be logged in without any permissions/connections/etc.

Using your static ID, create a username that matches your target LDAP username. If applicable, tick the permissions and/or connections that you want this user to see.

Log in with LDAP user.

Copyright © 2020-2024 Symas Corporation. All rights reserved.
authentication remote access

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Configure LDAP Client on Ubuntu
  • Common ldap Command Parameters
  • cn=monitor Reference
  • Symas Blog RSS Feed
  • Symas on Facebook
  • Symas on Twitter
  • Symas Blog
  • Symas on LinkedIn
  • Symas YouTube Channel

Copyright © 2023, Symas Corporation. All rights reserved. Privacy Statement (updated July 31, 2023)

Phone:

Main Office: +1.650.963.7601
Fax: +1.650.390.6284

Email:

Sales: sales@symas.com
Support: support@symas.com

Office Hours:

8:00 AM - 5:00 PM ET

Office Location:

Symas Corporation
PO Box 391
Grand Junction, CO 81507 USA

Expand