If multiple authentication methods are installed, Guacamole will poll each method as it attempts to authenticate users, and will retrieve connection data from each method once a user has successfully authenticated. This behavior is designed to allow authentication methods to work together, and can be leveraged to authenticate Guacamole users against LDAP while storing the connection data for those users within MySQL or PostgreSQL.

Guacamole’s definition of identity

When reading data from multiple authentication methods, Guacamole compares usernames to determine user identity. This means that user accounts from different authentication systems will be automatically combined by Guacamole upon successful authentication as long as those user accounts have the same username.

If both LDAP and a database authentication method have been configured, Guacamole will automatically attempt to authenticate against both systems whenever a user attempts to log in. The LDAP account will be considered equivalent to the database user if the username is identical, and that user will have access to any data associated with them via the database, as well as any visible objects within the LDAP directory.

For a user known to exist within LDAP, that user can be granted permissions to connections within the database by logging in as the administrative user (by default, “guacadmin”) and creating a corresponding database account having the same username. By leaving the password unspecified for the database account, the user will only be able to log in using LDAP, but will still have access to any associated connections defined within the database.

Administering LDAP users within Guacamole

Rather than having to manually look up users within the LDAP directory, and then manually create those users within Guacamole, it is possible to set up administrative user accounts which can already see and manage available LDAP users. This streamlines the administrative process, reducing the number of users which must be manually created to one.

To see LDAP users within Guacamole’s administrative interface, one of the following tasks must be performed:

  1. An administrative user within the Guacamole database, such as the default “guacadmin” user, must be manually created within LDAP with the same username and with sufficient privileges to query all Guacamole users defined within LDAP.
  2. An administrative user must be manually created within Guacamole having the same username as an LDAP user with sufficient privileges to query all Guacamole users defined within LDAP.

Because a Guacamole user created as defined above would have access to LDAP users, database users, and database connections, all of this data will be unified within the same administrative interface within Guacamole. The user will be able to grant LDAP users access to connections within the database just as they would if only the database were in use.