It is possible to manage users/connections in a simple flat file (/etc/guacamole/user-mapping.xml), or to configure Guacamole to use an sql server for configuration, but I want to centrally manage all users/connections in my LDAP in FreeIPA. Note that if you use the database solution, the all the configuration options are available in the html5 interface, whereas my setup requires all settings to be made in LDAP, and is a bit more of a hassle if you frequently change the setup.
Clone the centos7 template and set IP+hostname.
Install guacamole server packages and plugins/libs:
yum install -y guacd libguac-client-ssh libguac-client-vnc libguac-client-rdp dejavu-sans-mono-fonts wget tomcat freerdp-plugins
Create guacamole client app directory:
mkdir -p /etc/guacamole/extensions
Fetch client WAR and ldap extension (and install as ROOT tomcat app - I know I'm cheating!)
wget 'http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war' -O /etc/guacamole/guacamole.war
wget 'http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-auth-ldap-1.0.0.tar.gz' -O /etc/guacamole/guacamole-auth-ldap-1.0.0.tar.gz
tar xf /etc/guacamole/guacamole-auth-ldap-1.0.0.tar.gz -C /etc/guacamole/
cp /etc/guacamole/guacamole-auth-ldap-1.0.0/guacamole-auth-ldap-1.0.0.jar /etc/guacamole/extensions/
rm -rf /etc/guacamole/guacamole-auth-ldap-1.0.0/
cp /etc/guacamole/guacamole.war /var/lib/tomcat/webapps/ROOT.war
Create optional screen recording folder:
mkdir -p /etc/guacamole/rec/
chown guacd:guacd /etc/guacamole/rec
Edit/create /etc/guacamole/guacamole.properties to point to ldap server and configure user base dn.
# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
# LDAP properties
ldap-hostname: freeipa.lan.example.com
ldap-port: 389
ldap-user-base-dn: cn=users,cn=accounts,dc=lan,dc=example,dc=com
ldap-config-base-dn: cn=groups,cn=accounts,dc=lan,dc=example,dc=com
Open the firewall to allow connections in on tcp/8080
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --reload
Enable and restart the services to pick up the changes.
systemctl enable guacd ; systemctl restart guacd
systemctl enable tomcat ; systemctl restart tomcat
This will only work after FreeIPA is configured to handle guacamole connections. Like in the FreeIPA article you can import .ldif files to FreeIPA from the command line. Save the follwing as win-connection.ldif: Adjust it to fit your domain, and make sure the gid is unique. Change the values to fit your needs.
#*********** create connection profile group ********
dn: cn=guac-wingaming,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: add
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: guacConfigGroup
objectClass: ipaobject
objectClass: ipausergroup
guacConfigProtocol: rdp
guacConfigParameter: ignore-cert=true
guacConfigParameter: disable-auth=true
guacConfigParameter: security=tls
guacConfigParameter: hostname=10.0.5.90
guacConfigParameter: port=3389
guacConfigParameter: recording-path=/etc/guacamole/rec
guacConfigParameter: create-recording-path=true
guacConfigParameter: recording-name=guac-wingaming
cn: guac-wingaming
gidNumber: 1838600118
Also add an ssh profile for a management server that you'll have access to from outside - ssh-mgmt-connection.ldif:
#*********** create connection profile group ********
dn: cn=guac-ssh-mgmt,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: add
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: guacConfigGroup
objectClass: ipaobject
objectClass: ipausergroup
guacConfigProtocol: ssh
guacConfigParameter: hostname=10.0.5.31
guacConfigParameter: port=22
#guacConfigParameter: recording-path=/etc/guacamole/rec
#guacConfigParameter: create-recording-path=true
#guacConfigParameter: recording-name=guac-ssh-mgmt
cn: guac-ssh-mgmt
gidNumber: 1838600121
Example of a VNC profile for an ubuntu server (see notes below if Ubuntu VNC is unstable)
#*********** create connection profile group ********
dn: cn=guac-vnc-ubuntu,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: add
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
objectClass: guacConfigGroup
objectClass: ipaobject
objectClass: ipausergroup
guacConfigProtocol: vnc
guacConfigParameter: hostname=10.0.5.39
guacConfigParameter: port=5900
guacConfigParameter: password=password-used
guacConfigParameter: recording-path=/etc/guacamole/rec
guacConfigParameter: create-recording-path=true
guacConfigParameter: recording-name=guac-vnc-ubuntu
cn: guac-vnc-ubuntu
gidNumber: 1838600119
Import it after adjusting realm and target machines
ldapadd -x -D "cn=Directory Manager" -W -f win-connection.ldif
ldapadd -x -D "cn=Directory Manager" -W -f ssh-mgmt-connection.ldif
ldapadd -x -D "cn=Directory Manager" -W -f vnc-ubuntu-connection.ldif
Now log on with a user that is a member of both the guacamoleusers, guac-wingaming and guac-ssh-mgmt groups.
http://guacamole.lan.example.com:8080
The main idea with this guacamole setup is to use it for access from the outside.
#replace specific hostname attribute
dn: cn=guac-vnc-ubuntu,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: modify
delete: guacConfigParameter
guacConfigParameter: hostname=10.0.5.31
-
add: guacConfigParameter
guacConfigParameter: hostname=10.0.5.23
#Add missing guac password attribute
dn: cn=guac-vnc-ubuntu,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
changetype: modify
add: guacConfigParameter
guacConfigParameter: password=pass
Enable WAF:
Log on to Sophos UTM
Webserver Protection -> Certificate Management -> Advanced -> Allow Let's Encrypt certificates and enable.
Wait a minute or two.
Webserver Protection -> Certificate Management -> New Certificate
Select method: Let's Encrypt, interface: WAN and type in the subdomain you'll access guacamole from externally - e.g. guacamole.example.com Note that the lan subdomain is not included.
Wait a minute or two while the cert is issued from Let's Encrypt.
Webserver Protection -> Web Application Firewall -> Virtual Webservers -> New Virtual Webserver...
Name the webserver, select WAN interface, encrypted https, port 443 and the appropriate LE certificate that we just created.
Add a Real Webserver for root path and add the guacamole host definition, plaintext http and port 8080 and save. Mark the checkbox for the real webserver, select no firewall profile and press OK.
Toggle the status to enabled.
CentOS 7.7 updates FreeRDP to version 2.0 making the current guacamole release incompatible with the RDP plugin. This will result in a yum dependency error. A workaround is to install an old version of freerdp-devel from the 7.6 repos and hold it back. The following instructions are from the bugtracker comments: https://issues.apache.org/jira/browse/GUACAMOLE-249
Note that the yum.conf exclusion must be removed as soon as the updated guacamole can work with freerdp v2, as guacamole won't receive any security patches untill then.
hatzfF Hatz added a comment - 20/Sep/19 18:01 - edited
@ Gogo: I found this solution:
Deinstall freerdp-devel and freerdp-libs
Activate the old base-repo of 7.6 (in '/etc/yum.repos.d/CentOS-Vault.repo')
Install the 'old' freerdp (yum install freerdp-devel-1.0.2-15.el7)
Deactivate the 7.6 base-repo
Add 'exclude=freerdp*' 'to /etc/yum.conf'.
Afterwards freerdp will not be updated anymore and you can wait until a new version of guacamole including freerdp-2.0-support is ready.
In Ubuntu 18.04 and 19.04 I am experiencing frequent disconnects (anywhere from 10 second to 5 minute intervals) when using Ubuntu's built-in VINO VNC server. Removing vino and replacing it with x11vnc solves this.