Quite a bit has been changed and improved since 0.8.4.
I canāt find the guacamole package on epel, any hint? Already installed others rpms
if you vant to try guacamole 0.9.9 on Centos 6/7:
yum install -y wget
wget http://sourceforge.net/projects/guacamoleinstallscript/files/CentOS/guacamole-install-script.sh
chmod +x guacamole-install-script.sh
./guacamole-install-script.sh
Follow the wizard and then go to:
https://host/guacamole
More info on the Guacamole Install Script page
Task of this script:
Install Packages Dependencies
Download Guacamole and MySQL Connector packages
Install Guacamole Server
Install Guacamole Client
Install MySQL Connector
Configure MariaDB or MySQL
Setting Tomcat Server
Generates a Java KeyStore for SSL Support
Install and Setting Nginx Proxy (SPDY enabled)
Generates a Self-Signed Certificate for SSL Support
Configure SELinux for Nginx Proxy
Configure FirewallD or iptables
Not sure if this was already posted somewhere on these boards, but I would like to point out it is possible to have a little basic rebranding of the login page by editing a few files in a .jar guacamole extension file and having tomcat load it
This was tested on Guacamole 0.9.9 installed on NS 6.8
Credits go to Justine Arendt from https://sourceforge.net/p/guacamole/discussion/1110834/thread/be2a6785/
Download the generic-customize-extension.jar from the post above
Open it with 7zip
Edit the files inside to fit your needs
Image files in \web\images\ edit the background and logo images on login page
CSS file for login page is in \web\ folder
Files in \translations\ folder changes text above user/pwd boxes
Place the jar file into /var/lib/guacamole/extensions/
service tomcat restart
Very useful, thanks for sharing!
Is anyone interested in making some tests with this package?
@Adam @jackyes @Ctek @Hunv @enzo@edi @dz00te
I am!
I installed guacamole incubating 0.9.10 a few days ago on NS 6* as they have a RC posted in the mailing list
The latest version adds desktop sharing with outsiders with temporary links, screen recording, improved ctrl-c ctrl-v and some more
http://guacamole.incubator.apache.org/releases/0.9.10-incubating/
really neat
how can we test it?
Edit: just came to mind, i couldnāt install on NS 7 as i couldnāt find one of the required package to build guacamole with all functions, so i installed it on NS 6
Iām testing the LDAP connector on a test machine and it works on the openLDAP that Nethserver provides, users created from the web ui of NS can login to Guacamole, but only if i enable anonymous bind on the LDAP with
perl -MNethServer::Directory -e ā$l = NethServer::Directory->new(); $l->enforceAccessDirective(āby anonymous readā, ā*ā);ā
i couldnāt find a way to read the LDAP from guac otherwiseā¦
Any tip on browsing the LDAP without anon access? Or is that OK?
Following http://docs.nethserver.org/projects/nethserver-devel/en/latest/directory.html i understand i should maybe use service account, but how exactly? Any hints?
Also, since guac uses an ldif to extend the ldap schema, i then use ldapadd to add users and their custom attributes, which password should i use to write tho?
For what I understood you have two users who can bind the ldap directory.
ldapservice -> only read access
libuser -> write access restricted to the localhost
all password can be found in /var/lib/nethserver/secrets/
in guac you need to give a user with its password
Guacamole is also one of those edu applications that could make NS7 the perfect edu server. So yes, please add it as a moduleā¦
Maybe NetForge should get an edu chapterā¦
It would be great! Edu section
Thank you, managed to get the BIND right and can now login to guac with both ldap and mysql users
I cannot however use ldapadd to add new connections for users to use, neither ldapservice nor libuser have enough rights to do that, or maybe i should adjust the ACL to permit write access to the new fields that were added with the expanded schemaā¦
Creating an ldif file like ssh-host.ldif:
dn: cn=ssh-localhost,ou=Groups,dc=directory,dc=nh
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: ssh-localhost
guacConfigProtocol: ssh
guacConfigParameter: hostname=localhost
guacConfigParameter: port=222
member: cn=davide,ou=People,dc=directory,dc=nh
ldapadd -x -D cn=libuser,dc=directory,dc=nh -W -f ssh-host.ldif
Enter LDAP Password:
adding new entry "cn=ssh-localhost,ou=Groups,dc=directory,dc=nh"
ldap_add: Insufficient access (50)
additional info: no write access to parent
Although that is not mandatory, because guacamole uses both database backends at the same time, it can authenticate against ldap, and use mysql to store users connection data, just needs an account with the same name to exist there and everything seems to work
@davidep is the better interlocutor than me to speak about ldap, but I guess it is not a good idea to write information in ldap, it is here to store really sensitive informations. The idea to store guac informations in a mysql database sounds better.
Bumping this to let everyone know Guacamole 0.9.10-Incubating is now officially out, this is the first release since it was added to apache incubator
https://guacamole.incubator.apache.org/releases/0.9.10-incubating/
Cheers!
Iād like to add this amazing module to NethServer. How can we start? Any volunteer?
I can offer a prize
@Adam @jackyes @edi @Ctek @sitz @Hunv @dz00te @edi
I should have a working howto for Guacamole 0.9.10 on NS7, which is pretty much the same as the one posted by Adam plus other things to use its latest features and Letsencrypt
Would that be useful to start?
#Install guacamole on NS7
Install prerequisites
- Install from GUI:
OpenLDAP
Firewall Base
MariaDB (MySQL)
Reverse Proxy
Web Server
Now from console
yum update
Install needed packages, you can remove some of them based on the features you want enabled on guacamole, http://guacamole.incubator.apache.org/doc/0.9.10-incubating/gug/installing-guacamole.html
yum install cairo-devel libjpeg-devel uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel libvorbis-devel libwebp-devel nethserver-tomcat gcc
- ffmpeg is not found in EPEL, I got it from nux dextop repoā¦
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
- Disable the repo to avoid unintentional updates from it
vi /etc/yum.repos.d/nux-dextop.repo
Set enabled=0 and save
- Install ffmpeg
yum install --enablerepo=nux-dextop ffmpeg ffmpeg-devel
#Get guacamole and related parts
cd /opt/
Place here:
- guacamole-server-0.9.10-incubating.tar.gz
- guacamole-0.9.10-incubating.war
- guacamole-auth-jdbc-0.9.10-incubating.tar.gz
- mysql-connector-java-5.1.38.tar.gz
You can get the server parts from https://guacamole.incubator.apache.org/releases/0.9.10-incubating/ and the java connector from https://dev.mysql.com/downloads/connector/j/
tar -xzf guacamole-server-0.9.10-incubating.tar.gz
mv guacamole-server-0.9.10-incubating guacamole
rm guacamole-server-0.9.10-incubating.tar.gz
cd guacamole
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig
mkdir -p /var/lib/guacamole && mv /opt/guacamole-0.9.10-incubating.war /var/lib/guacamole/guacamole.war
ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/
rm -rf /usr/lib64/freerdp/guacdr.so
ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/
mkdir ~/guacamole && cd ~/guacamole
mv /opt/guacamole-auth-jdbc-0.9.10-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating.tar.gz
mv /opt/mysql-connector-java-5.1.38.tar.gz ~/guacamole/mysql-connector-java-5.1.38.tar.gz
mkdir -p /usr/share/tomcat/.guacamole/{extensions,lib}
tar -zxf guacamole-auth-jdbc-0.9.10-incubating.tar.gz
tar -zxf mysql-connector-java-5.1.38.tar.gz
tar -zxvf guacamole-auth-ldap-0.9.10-incubating.tar.gz
mv guacamole-auth-jdbc-0.9.10-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar
mv mysql-connector-java-5.1.38/mysql-connector-java-5.1.38-bin.jar /usr/share/tomcat/.guacamole/lib/
mv guacamole-auth-ldap-0.9.10-incubating/guacamole-auth-ldap-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar
- Enter mysql CLI and setup DB and user
mysql
create database guacdb;
create user 'guacuser'@'localhost' identified by 'guacDBpass';
MODIFY THESE CREDENTIALS TO SOMETHING SECURE
grant all privileges on guacdb.* to 'guacuser'@'localhost';
flush privileges;
quit
If you need the mysql password:
cat /var/lib/nethserver/secrets/mysql
cd ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating/mysql/schema/
cat ./*.sql | mysql -u root -p guacdb
- Edit guacamole main configuration file
mkdir -p /etc/guacamole/ && vi /etc/guacamole/guacamole.properties
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacdb
mysql-username: guacuser #Taken from mysql user set earlier
mysql-password: guacDBpass #Taken from mysql pwd set earlier
# LDAP properties
ldap-hostname: localhost
ldap-encryption-method: starttls
ldap-search-bind-dn: cn=ldapservice,dc=directory,dc=nh
ldap-search-bind-password: xxxxxxxxxxxxxxxx #Taken from /var/lib/nethserver/secrets/ldapservice
ldap-user-base-dn: dc=directory,dc=nh
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat/.guacamole/
cd ~ && rm -rf guacamole*
Setup the reverse proxy
vi /etc/httpd/conf.d/guacamole_reverse.conf
SSLProxyEngine on
# ProxyPass: guacamole
# Description:
ProxyPass /path/to/guacamole/ http://FQDN:8080/guacamole/ flushpackets=on
ProxyPassReverse /path/to/guacamole/ http://FQDN:8080/guacamole/
<Location />
SSLRequireSSL
</Location>
ProxyPass /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
ProxyPassReverse /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
<Location /websocket-tunnel>
</Location>
#Start services
systemctl enable tomcat.service
chkconfig guacd on
systemctl restart tomcat.service
systemctl start guacd.service
systemctl restart httpd.service
#Use it
Guacamole should be now accessible from the path you chose in the reverse proxy conf file on https (httpd) or FQDN:8080 over http (tomcat)
To use its new copy-paste feature, this extension is needed on chrome, it works like a charm !
Great Job!