The current LDAP authentication module in Guacamole is very basic. It takes the username and adds the LDAP base DN. This is not sufficient for a directory where users are scattered across multiple distinct OUs under the base DN.
The LDAP module should instead:
- Perform a search for the parameter which identifies the user (uid/samaccountname) under the ENTIRE subtree from the base DN
- Use just the uid/samaccountname to identify the user