Secure Global Desktop Administration Guide > Users and authentication > Can I deny an LDAP user access to Secure Global Desktop?

Can I deny an LDAP user access to Secure Global Desktop?

Once you have enabled the LDAP login authority, any LDAP user who can access a Secure Global Desktop server can log in to Secure Global Desktop. However, you may not want all LDAP users to have access to Secure Global Desktop.

The solution is to configure a search filter on the Secure Global Desktop server so that only users, who have a required attribute value on their LDAP user object, can log in to Secure Global Desktop. This requires extra configuration on the LDAP directory server and on the Secure Global Desktop server.

Note You can't use this method to deny access to a user authenticated with the Active Directory login authority. This is because the Active Directory server is not used for authentication.

Configuring the attribute on the LDAP user object

For Secure Global Desktop to be able to apply a filter, it must be able to test for an attribute value on the user object in your LDAP directory server. You could use an attribute that already exists in your LDAP database or create a new attribute, for example an attribute called allowttalogin. This attribute must be set for all users in your organization.

Configuring an LDAP search filter on the Secure Global Desktop server

Once you have configured the LDAP user object attribute, you need to configure a search filter on the Secure Global Desktop server. The filter needs to test the LDAP attribute, to allow users to log in if they meet the condition(s).

To set a search filter:

  1. Use the tarantella stop command to stop the Secure Global Desktop server.
  2. Run the following command:

    tarantella config edit --searchldapla.properties-searchFilter (&({0}={1})(attribute_test))

    For example:

    tarantella config edit --searchldapla.properties-searchFilter (&({0}={1})(allowttalogin=true))
  3. Use the tarantella start command to start the Secure Global Desktop server.

After you have re-started Secure Global Desktop, only users who match the search filter will be able to log in to Secure Global Desktop.

Related topics