You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by mj...@apache.org on 2016/03/20 03:15:43 UTC

[33/50] incubator-guacamole-manual git commit: GUAC-1388: Document configuration and effect of RBAC for LDAP.

GUAC-1388: Document configuration and effect of RBAC for LDAP.


Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/commit/ae27e533
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/tree/ae27e533
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/diff/ae27e533

Branch: refs/heads/master
Commit: ae27e5339ce1b451d9ae0a439a94b0feb5bc63b9
Parents: 2bf5e66
Author: Michael Jumper <mi...@guac-dev.org>
Authored: Fri Jan 22 09:22:53 2016 -0800
Committer: Michael Jumper <mi...@guac-dev.org>
Committed: Fri Jan 22 09:22:53 2016 -0800

----------------------------------------------------------------------
 src/chapters/ldap-auth.xml | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-guacamole-manual/blob/ae27e533/src/chapters/ldap-auth.xml
----------------------------------------------------------------------
diff --git a/src/chapters/ldap-auth.xml b/src/chapters/ldap-auth.xml
index c04bace..92ebcb3 100644
--- a/src/chapters/ldap-auth.xml
+++ b/src/chapters/ldap-auth.xml
@@ -39,7 +39,7 @@
             Guacamole connection is represented within the directory as a special type of group:
                 <classname>guacConfigGroup</classname>. Attributes associated with the group define
             the protocol and parameters of the connection, and users are allowed access to the
-            connection only if they are members of that group.</para>
+            connection only if they are associated with that group.</para>
         <para>This architecture has a number of benefits:</para>
         <orderedlist>
             <listitem>
@@ -112,9 +112,11 @@
             modifications to the LDAP schema are made through applying one of the provided schema
             files. These schema files define an additional object class,
                 <classname>guacConfigGroup</classname>, which contains all configuration information
-            for a particular connection, and can be associated with arbitrarily-many users. Only
-            users which are members of a connection's group will have access to that
-            connection.</para>
+            for a particular connection, and can be associated with arbitrarily-many users and
+            groups. Each connection defined by a <classname>guacConfigGroup</classname> will be
+            accessible only by users who are members of that group (specified with the
+                <property>member</property> attribute), or who are members of associated groups
+            (specified with the <property>seeAlso</property> attribute).</para>
         <important>
             <para>The instructions given for applying the Guacamole LDAP schema changes are specific
                 to OpenLDAP, but other LDAP implementations, including Active Directory, will have
@@ -355,8 +357,21 @@ dn: cn={4}guacConfigGroup,cn=schema,cn=config
                             in.</para>
                         <para>Each configuration is analogous to a connection. Within Guacamole's
                             LDAP support, each configuration functions as a group, having user
-                            members, where each member of a particular configuration group will have
-                            access to that configuration.</para>
+                            members (via the <property>member</property> attribute) and optionally
+                            group members (via the <property>seeAlso</property> attribute), where
+                            each member of a particular configuration group will have access to the
+                            connection defined by that configuration.</para>
+                    </listitem>
+                </varlistentry>
+                <varlistentry>
+                    <term><property>ldap-group-base-dn</property></term>
+                    <listitem>
+                        <para>The base of the DN for all groups that may be referenced within
+                            Guacamole configurations using the standard <property>seeAlso</property>
+                            attribute. All groups which will be used to control access to Guacamole
+                            configurations must be descendents of this base DN. <emphasis>If this
+                                property is omitted, the <property>seeAlso</property> attribute will
+                                have no effect on Guacamole configurations.</emphasis></para>
                     </listitem>
                 </varlistentry>
             </variablelist>