Guacamole Package?

Quite a bit has been changed and improved since 0.8.4.

https://sourceforge.net/p/guacamole/news/

1 Like

I canā€™t find the guacamole package on epel, any hint? Already installed others rpms

this?
https://dl.fedoraproject.org/pub/epel/7/x86_64/g/guacamole-0.8.4-1.el7.noarch.rpm

1 Like

if you vant to try guacamole 0.9.9 on Centos 6/7:

yum install -y wget
wget http://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/guacamole-install-script.sh
chmod +x guacamole-install-script.sh
./guacamole-install-script.sh

Follow the wizard and then go to:
https://host/guacamole

More info on the Guacamole Install Script page

Task of this script:
Install Packages Dependencies
Download Guacamole and MySQL Connector packages
Install Guacamole Server
Install Guacamole Client
Install MySQL Connector
Configure MariaDB or MySQL
Setting Tomcat Server
Generates a Java KeyStore for SSL Support
Install and Setting Nginx Proxy (SPDY enabled)
Generates a Self-Signed Certificate for SSL Support
Configure SELinux for Nginx Proxy
Configure FirewallD or iptables
2 Likes

Not sure if this was already posted somewhere on these boards, but I would like to point out it is possible to have a little basic rebranding of the login page by editing a few files in a .jar guacamole extension file and having tomcat load it

This was tested on Guacamole 0.9.9 installed on NS 6.8

Credits go to Justine Arendt from https://sourceforge.net/p/guacamole/discussion/1110834/thread/be2a6785/

Download the generic-customize-extension.jar from the post above

Open it with 7zip

Edit the files inside to fit your needs

Image files in \web\images\ edit the background and logo images on login page

CSS file for login page is in \web\ folder

Files in \translations\ folder changes text above user/pwd boxes

Place the jar file into /var/lib/guacamole/extensions/

service tomcat restart

2 Likes

Very useful, thanks for sharing! :+1:

Is anyone interested in making some tests with this package?
@Adam @jackyes @Ctek @Hunv @enzo@edi @dz00te

1 Like

I am!
I installed guacamole incubating 0.9.10 a few days ago on NS 6* as they have a RC posted in the mailing list

The latest version adds desktop sharing with outsiders with temporary links, screen recording, improved ctrl-c ctrl-v and some more
http://guacamole.incubator.apache.org/releases/0.9.10-incubating/

really neat :smiley:

how can we test it?

Edit: just came to mind, i couldnā€™t install on NS 7 as i couldnā€™t find one of the required package to build guacamole with all functions, so i installed it on NS 6

4 Likes

Iā€™m testing the LDAP connector on a test machine and it works on the openLDAP that Nethserver provides, users created from the web ui of NS can login to Guacamole, but only if i enable anonymous bind on the LDAP with

perl -MNethServer::Directory -e ā€˜$l = NethServer::Directory->new(); $l->enforceAccessDirective(ā€œby anonymous readā€, ā€œ*ā€);ā€™

i couldnā€™t find a way to read the LDAP from guac otherwiseā€¦

Any tip on browsing the LDAP without anon access? Or is that OK?

Following http://docs.nethserver.org/projects/nethserver-devel/en/latest/directory.html i understand i should maybe use service account, but how exactly? Any hints?

Also, since guac uses an ldif to extend the ldap schema, i then use ldapadd to add users and their custom attributes, which password should i use to write tho?

3 Likes

For what I understood you have two users who can bind the ldap directory.

ldapservice -> only read access
libuser -> write access restricted to the localhost

all password can be found in /var/lib/nethserver/secrets/

in guac you need to give a user with its password

1 Like

Guacamole is also one of those edu applications that could make NS7 the perfect edu server. So yes, please add it as a moduleā€¦ :slight_smile:
Maybe NetForge should get an edu chapterā€¦ :wink:

3 Likes

It would be great! Edu section :smiley:

Thank you, managed to get the BIND right and can now login to guac with both ldap and mysql users

I cannot however use ldapadd to add new connections for users to use, neither ldapservice nor libuser have enough rights to do that, or maybe i should adjust the ACL to permit write access to the new fields that were added with the expanded schemaā€¦

Creating an ldif file like ssh-host.ldif:

dn: cn=ssh-localhost,ou=Groups,dc=directory,dc=nh
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: ssh-localhost
guacConfigProtocol: ssh
guacConfigParameter: hostname=localhost
guacConfigParameter: port=222
member: cn=davide,ou=People,dc=directory,dc=nh

ldapadd -x -D cn=libuser,dc=directory,dc=nh -W -f ssh-host.ldif

Enter LDAP Password:
adding new entry "cn=ssh-localhost,ou=Groups,dc=directory,dc=nh"
ldap_add: Insufficient access (50)
additional info: no write access to parent

Although that is not mandatory, because guacamole uses both database backends at the same time, it can authenticate against ldap, and use mysql to store users connection data, just needs an account with the same name to exist there and everything seems to work

1 Like

@davidep is the better interlocutor than me to speak about ldap, but I guess it is not a good idea to write information in ldap, it is here to store really sensitive informations. The idea to store guac informations in a mysql database sounds better.

Bumping this to let everyone know Guacamole 0.9.10-Incubating is now officially out, this is the first release since it was added to apache incubator

https://guacamole.incubator.apache.org/releases/0.9.10-incubating/

Cheers!

4 Likes

Iā€™d like to add this amazing module to NethServer. How can we start? Any volunteer?
I can offer a prize :beers:
@Adam @jackyes @edi @Ctek @sitz @Hunv @dz00te @edi

4 Likes

I should have a working howto for Guacamole 0.9.10 on NS7, which is pretty much the same as the one posted by Adam plus other things to use its latest features and Letsencrypt

Would that be useful to start?

7 Likes

Yes! Itā€™s time to do somethingā€¦

@edi can you share your howto?

4 Likes

#Install guacamole on NS7

Install prerequisites

  • Install from GUI:
    OpenLDAP
    Firewall Base
    MariaDB (MySQL)
    Reverse Proxy
    Web Server

Now from console

yum update

Install needed packages, you can remove some of them based on the features you want enabled on guacamole, http://guacamole.incubator.apache.org/doc/0.9.10-incubating/gug/installing-guacamole.html

yum install cairo-devel libjpeg-devel uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel libvorbis-devel libwebp-devel nethserver-tomcat gcc

  • ffmpeg is not found in EPEL, I got it from nux dextop repoā€¦

rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm

  • Disable the repo to avoid unintentional updates from it

vi /etc/yum.repos.d/nux-dextop.repo
Set enabled=0 and save

  • Install ffmpeg

yum install --enablerepo=nux-dextop ffmpeg ffmpeg-devel

#Get guacamole and related parts

cd /opt/

Place here:
- guacamole-server-0.9.10-incubating.tar.gz
- guacamole-0.9.10-incubating.war
- guacamole-auth-jdbc-0.9.10-incubating.tar.gz
- mysql-connector-java-5.1.38.tar.gz

You can get the server parts from https://guacamole.incubator.apache.org/releases/0.9.10-incubating/ and the java connector from https://dev.mysql.com/downloads/connector/j/

tar -xzf guacamole-server-0.9.10-incubating.tar.gz

mv guacamole-server-0.9.10-incubating guacamole

rm guacamole-server-0.9.10-incubating.tar.gz

cd guacamole

./configure --with-init-dir=/etc/init.d

make

make install

ldconfig

mkdir -p /var/lib/guacamole && mv /opt/guacamole-0.9.10-incubating.war /var/lib/guacamole/guacamole.war

ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/

rm -rf /usr/lib64/freerdp/guacdr.so

ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

mkdir ~/guacamole && cd ~/guacamole 

mv /opt/guacamole-auth-jdbc-0.9.10-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating.tar.gz

mv /opt/mysql-connector-java-5.1.38.tar.gz ~/guacamole/mysql-connector-java-5.1.38.tar.gz

mkdir -p /usr/share/tomcat/.guacamole/{extensions,lib}

tar -zxf guacamole-auth-jdbc-0.9.10-incubating.tar.gz

tar -zxf mysql-connector-java-5.1.38.tar.gz

tar -zxvf guacamole-auth-ldap-0.9.10-incubating.tar.gz

mv guacamole-auth-jdbc-0.9.10-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar

mv mysql-connector-java-5.1.38/mysql-connector-java-5.1.38-bin.jar /usr/share/tomcat/.guacamole/lib/

mv guacamole-auth-ldap-0.9.10-incubating/guacamole-auth-ldap-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar
  • Enter mysql CLI and setup DB and user

mysql

create database guacdb;

create user 'guacuser'@'localhost' identified by 'guacDBpass';
MODIFY THESE CREDENTIALS TO SOMETHING SECURE

grant all privileges on guacdb.* to 'guacuser'@'localhost';

flush privileges;

quit

If you need the mysql password:
cat /var/lib/nethserver/secrets/mysql

    cd ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating/mysql/schema/

    cat ./*.sql | mysql -u root -p guacdb
  • Edit guacamole main configuration file

mkdir -p /etc/guacamole/ && vi /etc/guacamole/guacamole.properties

# MySQL properties
    mysql-hostname: localhost
    mysql-port: 3306
    mysql-database: guacdb
    mysql-username: guacuser #Taken from mysql user set earlier
    mysql-password: guacDBpass #Taken from mysql pwd set earlier
	 
# LDAP properties
	ldap-hostname: localhost
	ldap-encryption-method: starttls
	ldap-search-bind-dn: cn=ldapservice,dc=directory,dc=nh
	ldap-search-bind-password: xxxxxxxxxxxxxxxx #Taken from /var/lib/nethserver/secrets/ldapservice
	ldap-user-base-dn: dc=directory,dc=nh

ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat/.guacamole/

cd ~ && rm -rf guacamole*

Setup the reverse proxy

vi /etc/httpd/conf.d/guacamole_reverse.conf

    SSLProxyEngine on
	# ProxyPass: guacamole
	# Description:
	ProxyPass       /path/to/guacamole/      http://FQDN:8080/guacamole/ flushpackets=on
	ProxyPassReverse        /path/to/guacamole/      http://FQDN:8080/guacamole/

        <Location />
		SSLRequireSSL
	</Location>

	ProxyPass /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
	ProxyPassReverse /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
	<Location /websocket-tunnel>

	</Location>

#Start services

systemctl enable tomcat.service
chkconfig guacd on
systemctl restart tomcat.service
systemctl start guacd.service
systemctl restart httpd.service

#Use it
Guacamole should be now accessible from the path you chose in the reverse proxy conf file on https (httpd) or FQDN:8080 over http (tomcat)

To use its new copy-paste feature, this extension is needed on chrome, it works like a charm !

9 Likes

Great Job!