Merge 1.5.2 changes back to master.
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
new file mode 100644
index 0000000..8408b31
--- /dev/null
+++ b/.github/workflows/pr-build.yml
@@ -0,0 +1,29 @@
+name: Pull request CI build
+
+# Run build for all pull requests
+on:
+ pull_request:
+
+# Limit to only one build for a given PR source branch at a time,
+# cancelling any in-progress builds
+concurrency:
+ group: guacamole-manual-pr-${{ github.head_ref }}
+ cancel-in-progress: true
+
+jobs:
+
+ docker_build:
+ name: Run docker build
+ runs-on: ubuntu-latest
+ steps:
+
+ - name: Check out code
+ uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+ persist-credentials: false
+
+ - name: Build Docker container
+ shell: sh
+ run: |
+ docker build --pull --no-cache --force-rm .
diff --git a/Makefile b/Makefile
index f50e2bd..a7607d9 100644
--- a/Makefile
+++ b/Makefile
@@ -33,16 +33,16 @@
$(RM) -R build/
# All files which the build depends on
-MD_FILES=$(shell find -path "./src/*" -name "*.md")
-RST_FILES=$(shell find -path "./src/*" -name "*.rst")
-PNG_FILES=$(shell find -path "./src/*" -name "*.png")
+MD_FILES=$(shell find "./src" -name "*.md")
+RST_FILES=$(shell find "./src" -name "*.rst")
+PNG_FILES=$(shell find "./src" -name "*.png")
#
# HTML manual build
#
html: build/html/index.html
-
+
build/html/index.html: $(PNG_FILES) $(RST_FILES) $(MD_FILES)
sphinx-build -b html -d build/doctrees src/ build/html
diff --git a/src/guacamole-docker.md b/src/guacamole-docker.md
index e587dfe..d804f6f 100644
--- a/src/guacamole-docker.md
+++ b/src/guacamole-docker.md
@@ -106,7 +106,12 @@
Once the Guacamole image is running, Guacamole will be accessible at
{samp}`http://{HOSTNAME}:8080/guacamole/`, where `HOSTNAME` is the hostname or
-address of the machine hosting Docker.
+address of the machine hosting Docker. To set the path Guacamole is accessible from,
+use the `WEBAPP_CONTEXT` environment variable:
+
+`WEBAPP_CONTEXT`
+: The path Guacamole should be accessible from. If set to `ROOT` Guacamole
+will accessible from {samp}`http://{HOSTNAME}:8080`.
(guacamole-docker-config-via-env)=
@@ -924,13 +929,13 @@
### Verifying the Guacamole install
Once the Guacamole image is running, Guacamole should be accessible at
-{samp}`http://{HOSTNAME}:8080/guacamole/`, where `HOSTNAME` is the hostname or
-address of the machine hosting Docker, and you *should* see a login screen. If
-using MySQL or PostgreSQL, the database initialization scripts will have
-created a default administrative user called "`guacadmin`" with the password
-"`guacadmin`". *You should log in and change your password immediately.* If
-using LDAP, you should be able to log in as any valid user within your LDAP
-directory.
+{samp}`http://{HOSTNAME}:8080/guacamole/` (or the path you set with
+`WEBAPP_CONTEXT`), where `HOSTNAME` is the hostname or address of the machine
+hosting Docker, and you *should* see a login screen. If using MySQL or
+PostgreSQL, the database initialization scripts will have created a default
+administrative user called "`guacadmin`" with the password "`guacadmin`".
+*You should log in and change your password immediately.* If using LDAP, you
+should be able to log in as any valid user within your LDAP directory.
If you cannot access Guacamole, or you do not see a login screen, check
Docker's logs using the `docker logs` command to determine if something is
diff --git a/src/images/totp-group-config.png b/src/images/totp-group-config.png
new file mode 100644
index 0000000..0c5bf39
--- /dev/null
+++ b/src/images/totp-group-config.png
Binary files differ
diff --git a/src/images/totp-user-config.png b/src/images/totp-user-config.png
index 8b27154..f4d8ec5 100644
--- a/src/images/totp-user-config.png
+++ b/src/images/totp-user-config.png
Binary files differ
diff --git a/src/jdbc-auth.md b/src/jdbc-auth.md
index b9e6aae..0fa2ca8 100644
--- a/src/jdbc-auth.md
+++ b/src/jdbc-auth.md
@@ -580,6 +580,19 @@
: The password to use to access the client certificate store, if one is
required. By default no password will be used.
+`mysql-track-external-connection-history`
+: Whether connection history records should be created for connections not
+ defined in the database. By default, external connection history will be
+ tracked unless this is explicitly disabled by setting this to "false".
+
+`mysql-enforce-access-windows-for-active-sessions`
+: Whether time-based access windows should be enforced for active user sessions.
+ By default, users will be logged out when an access window closes, even if
+ they are currently logged in. To allow logged-in users to continue to use the
+ application after an access window closes, set this to "false". Users will
+ always be prevented from logging in outside of access windows regardless of
+ this setting.
+
`mysql-batch-size`
: Controls how many objects may be retrieved from the database in a single
query. If more objects than this number are requested, retrieval of those
@@ -665,6 +678,20 @@
abort queries that take too long. A value of 0 (the default) means the
timeout is disabled.
+<<<<<<< HEAD
+`postgresql-track-external-connection-history`
+: Whether connection history records should be created for connections not
+ defined in the database. By default, external connection history will be
+ tracked unless this is explicitly disabled by setting this to "false".
+
+`postgresql-enforce-access-windows-for-active-sessions`
+: Whether time-based access windows should be enforced for active user sessions.
+ By default, users will be logged out when an access window closes, even if
+ they are currently logged in. To allow logged-in users to continue to use the
+ application after an access window closes, set this to "false". Users will
+ always be prevented from logging in outside of access windows regardless of
+ this setting.
+=======
`postgresql-batch-size`
: Controls how many objects may be retrieved from the database in a single
query. If more objects than this number are requested, retrieval of those
@@ -672,6 +699,7 @@
queries.
By default, PostgreSQL queries will retrieve no more than 5000 objects.
+>>>>>>> staging/1.5.2
:::
:::{tab} SQL Server
@@ -704,6 +732,20 @@
the SQL Server installation. This property is optional, and most installations
should work without the need to specify an instance name.
+<<<<<<< HEAD
+`sqlserver-track-external-connection-history`
+: Whether connection history records should be created for connections not
+ defined in the database. By default, external connection history will be
+ tracked unless this is explicitly disabled by setting this to "false".
+
+`sqlserver-enforce-access-windows-for-active-sessions`
+: Whether time-based access windows should be enforced for active user sessions.
+ By default, users will be logged out when an access window closes, even if
+ they are currently logged in. To allow logged-in users to continue to use the
+ application after an access window closes, set this to "false". Users will
+ always be prevented from logging in outside of access windows regardless of
+ this setting.
+=======
`sqlserver-batch-size`
: Controls how many objects may be retrieved from the database in a single
query. If more objects than this number are requested, retrieval of those
@@ -711,6 +753,7 @@
queries.
By default, SQL Server queries will retrieve no more than 1000 objects.
+>>>>>>> staging/1.5.2
:::
#### Enforcing password policies
diff --git a/src/totp-auth.md b/src/totp-auth.md
index 188201d..c83aaea 100644
--- a/src/totp-auth.md
+++ b/src/totp-auth.md
@@ -90,8 +90,26 @@
save the user configuration, and the user will be presented with the QR code
at next login and asked to confirm it.
+(totp-disable-user-group)=
+
+### Disabling TOTP for users or groups
+
+In versions of Guacamole prior to 1.6.0, installing and configuring the TOTP
+module meant that all Guacamole users would be required to enroll in and
+successfully authenticate via the TOTP factor. Starting with 1.6.0 the TOTP
+requirement can be disabled on a per-user or per-group basis, allowing
+administrators more flexibility in configuring the TOTP requirement.
+
+By default all users will still be required to authenticate with TOTP,
+however the requirement can be disabled by checking the "Disable TOTP"
+checkbox. This can be done for an individual user account, but it can
+also be disabled for a group resulting the TOTP requirement being
+disabled for any members of the group.
+
+
+
(totp-downloading)=
Downloading the TOTP extension
