So, this is not a direct fix for passing the ${GUAC_PASSWORD} for LDAP only authentication, but I got two solutions that work.
-
Just drop out the contents of the password field in the Guacamole configuration for the server. The user will be prompted for the password, but it is a simple solution that doesn't require additional configuration. In my experience, RDS connections with a RDS Gateway do ** not** pick up the user's password input, and therefore this did not work for those connections.
-
This solution still uses OIDC from Cloudron with LDAP from Cloudron to Active Directory. You can automatically pull the password for connecting to the RDP from a Keeper vault if configured. You can pull it from the user's individual vault, or from a central store of passwords (less than ideal, but workable for small operations / single user). You will need the Keeper extension and to configure it with the directions here https://guacamole.apache.org/doc/gug/vault.html. Once done, if you have a central store, you can use the parameter
${KEEPER_USER_PASSWORD}in a Guacamole connection configuration to pull a secret from the Keeper vault, where theUSERis the username provided to Cloudron, and is passed to Guacamole by the OIDC connection. If the credential is in the user's Keeper Vault, they can establish a token to pull from their own vault.