[jira] [Comment Edited] (GUACAMOLE-954) Add LDAP support for nested user groups

Wed, 25 Jun 2025 21:31:23 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17986278#comment-17986278
 ] 

nick edited comment on GUACAMOLE-954 at 6/26/25 4:23 AM:
---------------------------------------------------------

Just tested this in our setup, works for me too. Thanks [~stcbus]!
For what it's worth I tested under 1.5.4, not the latest version. I added the 
changes from your PR to [that version of 
guacamole-client|https://github.com/apache/guacamole-client/tree/212955c16c393c08f434f1def0ac12be36b09b2e]
 and built just the guacamole-auth-ldap extension and swapped out the .jar 
file. (and added ldap-nested-groups: true to guacamole.properties)

 


was (Author: JIRAUSER304754):
Just tested this in our setup, works for me too. Thanks [~stcbus]!
For what it's worth I tested under 1.5.4, not the latest version. I added the 
changes from your PR to [that version of 
guacamole-client|https://github.com/apache/guacamole-client/tree/212955c16c393c08f434f1def0ac12be36b09b2e]
 and built just the guacamole-auth-ldap extension and swapped out the .jar file.

 

> Add LDAP support for nested user groups
> ---------------------------------------
>
>                 Key: GUACAMOLE-954
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-954
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-ldap
>            Reporter: Nils
>            Priority: Minor
>
> As described below, the current LDAP support will query user group 
> membership, but only immediate membership. Unlike the database auth, nested 
> user groups are not supported. Support for nested user groups should be added.
> Note that while Active Directory supports a specific filter for retrieving 
> recursive group memberships, leveraging that would need to be done carefully. 
> Other LDAP servers may not support that filter, and an alternative, 
> standards-conforming mechanism would need to be used by default. If it is 
> possible to automatically detect that the LDAP server supports this, that 
> would be ideal. Another option might be to provide some mechanism for 
> overriding the filter that Guacamole will use to determine membership.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to