If you don’t want to add all your users to the guacamole db for authentication you can combine the DB authentication with LDAP authentication. (You don’t have to modify your LDAP)
First download and install the LDAP auth extension:
wget http://apache.mirror.iphh.net/guacamole/1.1.0/binary/guacamole-auth-ldap-1.1.0.tar.gz tar xvzf guacamole-auth-ldap-1.1.0.tar.gz cp /usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar /etc/guacamole/extensions/
Now configurate ‘/etc/guacamole/guacamole.properties’ with your favorite editor and add the following lines:
# Auth provider class auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider # LDAP properties ldap-hostname: YOUR_LDAP_SERVER ldap-port: 389 ldap-user-base-dn: ou=YOUR_OU,o=company,c=de ldap-username-attribute: cn ldap-config-base-dn: ou=YOUR_OU,c=company,c=de ldap-encryption-method: starttls
To use TLS i have to import the certificate of the LDAP server:
keytool -cacerts -importcert -alias RootCA -file RootCA.pem
Note: The default password of the keystore is “changeit”.
Now restart tomcat and test it:
systemctl restart tomcat9
Your LDAP-Settings may be complete different to my settings:
If your Server uses ssl please change the ldap-encryption-method:
or to none if you don’t want to use encryption:
If you need to bind with a user to your LDAP-Server add this lines:
Here is an example to limit the login to one or two usergroups:
If you use an Microsoft AD-Server as your LDAP-Server your config maybe look like this:
ldap-hostname: AD_SERVER ldap-port: 389 ldap-user-base-dn: OU=Users,DC=company,DC=de ldap-username-attribute: samAccountName ldap-config-base-dn: OU=Users,DC=company,DC=de ldap-encryption-method: none
If your LDAP authentication works you should login one more time with the guacadmin and give admin privileges to your LDAP user (Add new User with your LDAP-Username). Now use your LDAP user and login again. You should see all LDAP users and groups in your guacamole admin.
This Post Has 14 Comments
CLAIN9 Jul 2020
Don’t work for me with Windows Server 2012 R2 – Active Directory
sebastian9 Jul 2020
i tested it with AD on Windows 2012 R2. Have you turned on the debugging (Part 1 #8)?
Martin10 Aug 2020
Didn’t work LDAP auth.
Installed on Debian 10, but when log in to Guacamole users does not appear.
sebastian11 Aug 2020
this is normal.
You need to login with an user which is allowed to query the LDAP.
This ist why the guacadmin didn’t see any users or groups.
Login with an LDAP user (which is allowed to read all users and groups from your LDAP) and you should see your users.
Martin12 Aug 2020
Hi Sebastian, thanks for your answer.
I’ve created an LDAP user, but still cant auth with ActiveDirectory
This is what the config looks like
# LDAP properties
Leandro10 Okt 2020
I would like to know if you are able to solve the authentication failure, I have the same problem.
igoreshenka19 Aug 2020
Please fix the guide, you are download and extract different versions of ldap connectors.
igoreshka20 Aug 2020
My bad, problem was in my env =)
Faraz10 Nov 2020
I have 2 Guacamole servers configured
1 with Debain and XML setup
2 with Debain and Guacamole Docker
I have followed your instructions but while download and install LDAP auth it gave me a following error since there is no /directory under /usr/src/
22:12 root@hostname [host]:~# cp /usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar /etc/guacamole/extensions/
cp: cannot stat ‘/usr/src/guacamole-auth-ldap-1.1.0/guacamole-auth-ldap-1.1.0.jar’: No such file or directory
Shreyans Barthwal24 Nov 2021
I have setup guacamole in my infra and is working using DB Users. I have done LDAP configuration and it is getting authenticated using service user account (have domain admin access) that is created. I am able to authenticate a user under the OU but i am not able to authenticate any user through Group. Kindly suggest the parameters to use in guacamole.properties for authenticating Groups and any other checks which need to be done so that all users under that group reflects in my guacamole portal
Henning deidari1 Mrz 2022
Hi Shreyans Barthwal,
We encounter the same problem. Did you solve it? Every AD-Group is displaying empty membership.
Henning deidari2 Mrz 2022
Hi Shreyans Barthwal,
we encounter the same Problem. Did you solve the problem? Can u help?
highland12 Apr 2022
This is my working configuration, db installation also required.
# Auth provider class
# MySQL properties
# LDAP properties
totp-issuer: Guacamole TOTP
Vittor de Castro5 Aug 2022
I was reading about using LDAP to store connection data instead of using the database for it. I created a GuacConfigGroup and it’s guacConfigParameter is like this:
my guacamole.properties has this on the end of the file:
ldap-user-attributes: PObox, info
The PObox attribute of the user is the IP address of the server I’m trying to connect, when I change the hostname attribute of the guacConfigGroup to the IP or a DNS It connects normally, but when I try to use the AD attribute it doesn’t connect and I get this on the guacd syslog:
guacd: RDP server closed/refused connection: DNS lookup failed (incorrect hostname?)
does anyone know how to see if the guacd is even using the correct LDAP parameter?