Skip to content
Browse files
GUACAMOLE-1406: Document missing LDAP parameters in Docker configurat…
…ion reference.
  • Loading branch information
necouchman committed Jan 24, 2022
1 parent 777c742 commit ae0040513446badff6e8532debf17e437fe960bf
Showing 1 changed file with 56 additions and 0 deletions.
@@ -597,6 +597,24 @@ accounts:
other extensions to define permissions. *If this property is omitted the
default of `(objectClass=*)` will be used.*

: The attribute or attributes which define the unique name of user groups in
the LDAP directory. Usually, and by default, this will simplify be "cn". If
your LDAP directory contains groups whose names are dictated by different
attributes, multiple attributes can be specified here, separated by

: The attribute which contains the members within all group objects in the
LDAP directory. Usually, and by default, this will simply be "member". If
your LDAP directory contains groups whose members are dictated by a
different attribute it can be specified, here.

: Specify whether the attribute defined in `LDAP_MEMBER_ATTRIBUTE` identifies
a group member by DN or usercode (user id). Valid values are "dn" (the
default, if not specified) or "uid".

: The DN (Distinguished Name) of the user to bind as when authenticating users
that are attempting to log in. If specified, Guacamole will query the LDAP
@@ -619,12 +637,50 @@ accounts:
by commas, but beware: *doing so requires that a search DN be provided with

: The attribute or attributes to retrieve from the LDAP directory for users
when they log in, with multiple attributes separated by commas. If specified,
the attributes listed are retrieved from each authenticated users and
dynamically applied to the parameters of that user's connections as
parameter tokens with the prefix `LDAP_`.

: The base of the DN for all Guacamole configurations. If omitted, the
configurations of Guacamole connections will simply not be queried from the
LDAP directory, and you will need to store them elsewhere, such as within a
MySQL or PostgreSQL database.

: Controls whether or not the LDAP connection follows (dereferences) aliases
as it searches the tree. Possible values for this property are "never"
(the default), so that aliases will never be followed, "searching", to
dereference during the search operations after the base object is located,
"finding", to dereference in order to locate the search base but not during
the actual search, and "always", to always dereference aliases.

: This option controls whether or not the LDAP module follows referrals when
processing search results. Referrals can be pointers to another part of the
current LDAP tree, or to a completely different tree altogether, hosted on
a different server and/or port. Valid options are "false" (the default),
which means that referrals will be ignored, or "true", where the client
will attempt to follow the referrals in order to continue the search. The
referral will be followed with the same credentials used to search the
initial tree.

: When LDAP referrals are enabled, this option controls how many hops the
LDAP client will follow before refusing to continue. The default is 5.

: The maximum number of search results that can be returned by a single LDAP
query. LDAP queries which exceed this number of results may fail. By default
the maximum number of results for a single LDAP query is 1000.

: The timeout, in seconds, of any single LDAP operation, after which the
operation will be aborted. The default is 30 seconds.

As documented in [](ldap-auth), Guacamole does support combining LDAP with a
MySQL or PostgreSQL database, and this can be configured with the Guacamole
Docker image, as well. Each of these authentication mechanisms is independently

0 comments on commit ae00405

Please sign in to comment.