@royceb how did you isntall it on its own vhost
?
I found that it does not work with the LDAP extension as it needs an extension being able to save data.
Another extension must be installed which supports storage of arbitrary data from other extensions. Currently the only extensions provided with Guacamole which support this kind of storage are the database authentication extensions.
https://guacamole.apache.org/doc/gug/totp-auth.html#totp-prerequisites
I think it’s not on a vhost. Do you want to be able to run it on a vhost? I could add a switch but I don’t know if we can go without /guacamole
path.
I’ve read up on another similar setup using DUO as the tfa app. I am going to see if this is an easy integration with the current setup and if so I’ll be happy.
It’s not that the TOTP auth doesn’t work at all but you need to add the users (group didn’t work) to database, by clicking on the ones you like to use TOTP and set “change own password” for that user.
I am afraid the duo extenstion works the same way. From the docs:
Guacamole supports Duo as a second authentication factor
Last way I see is using LDAP instead of mariadb for saving guacamole information but I initially wanted to avoid it. It seems OpenLDAP is supported and for AD I found a PDF.
if we can have something like remote.server.tld but it adds /guacamole when a user visits, no problem with that
In the example above I was using pfSense to handle my letsencrypt certificates renewal and reverse proxy because of how easy it is to implement.
If you wanted to do the same with a self contained NS install you need to do the following:
- Create an alias for your NS server/TLD (example guacdemo.yourdoamin.com)
- Create a LetsEncrypt Certificate for your TDL (NOTE you can request multiple alias such as remote/nextcloud/guacdemo during this step)
- Install Reverse Proxy from the Software Center
- Create Reverse Proxy rule as desired.
I’ve gotten this to work for Zentyal 6.1 AD/SAMBA authentication.
The installer will gather most of the correct values for the LDAP connection in /etc/guacamole/guacamole.properties but I run into problems here:
ldap-search-bind-dn: cn=ldapservice,cn=Users,DC=ad,DC=example,DC=com
What gets the Zentyal AD portion busted is that the installer auto-populates ldapservice as NethServer uses for it’s BIND DN rather than what may actually be populated in that field (see picture)
Proposed solutions
The one I think is correct - have installer read or input the correct BIND DN settings from NethServer Account Provider into guacamole.properties rather than a the hard-coded ldapservice account.
The one I did - created a new user ldapservice via LDAP Admin on my Zentyal AD/SAMBA domain. After, I was able to log into the Guacamole page with my LDAP users/groups.
Thanks, I fixed it to use the right name but I had to hardcode the “cn=user” part to make it work.
yum reinstall https://mrmarkuz.dynu.net/mirror/devtest/nethserver-guacamole-0.0.1-1.ns7.noarch.rpm
To uninstall you need to remove the mysql database (drop database guacamole;
) and the package.
You may use yum autoremove nethserver-guacamole
carefully to remove dependencies too.
which other dependencies are implemented?
Guacamole for example needs guacd and tomcat as server components and modules for different connection protocols etc.
You can check it with
yum deplist nethserver-guacamole
or
rpm -qR nethserver-guacamole
EDIT:
Virtualhost added. It’s enough to reinstall the module with yum reinstall
, no need for complete uninstall.
Did this change anything else for proxy settings? I ask now because I can no longer get NS to Reverse Proxy like I could above. With the recent guide for instance I had a goal of getting remote.example.com from https://demo.example.com/guacamole using the Reverse Proxy and a valid LE cert but the page no longer loads.
[root@demo ~]# echo ‘{“action”:“edit”,“proxypass”:{“name”:“remote.nethserver.us”,“Description”:“”,“Target”:“https://demo.nethserver.us/guacamole",“HTTP”:“no”,“HTTPS”:“yes”,“PreserveHost”:“yes”,“SslCertificate”:“”,“ValidFrom”:[“”],“CertVerification”:“no”,“type”:"VhostReverse”}}’ | /usr/bin/setsid /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-httpd/proxypass/update | jq
{
“steps”: 2,
“pid”: 47689,
“args”: “”,
“event”: “nethserver-httpd-save”
}
{
“step”: 1,
“pid”: 47689,
“action”: “S05generic_template_expand”,
“event”: “nethserver-httpd-save”,
“state”: “running”
}
{
“progress”: “0.50”,
“time”: “0.334905”,
“exit”: 0,
“event”: “nethserver-httpd-save”,
“state”: “done”,
“step”: 1,
“pid”: 47689,
“action”: “S05generic_template_expand”
}
{
“step”: 2,
“pid”: 47689,
“action”: “S90adjust-services”,
“event”: “nethserver-httpd-save”,
“state”: “running”
}
{
“progress”: “1.00”,
“time”: “0.291756”,
“exit”: 256,
“event”: “nethserver-httpd-save”,
“state”: “done”,
“step”: 2,
“pid”: 47689,
“action”: “S90adjust-services”
}
{
“pid”: 47689,
“status”: “failed”,
“event”: “nethserver-httpd-save”
}
{
“type”: “Error”,
“message”: “proxy.api_update_failed”
}
[root@demo ~]# ^C
[root@demo ~]#
/etc/httpd/conf.d/guacamole.conf
was moved to /etc/httpd/conf.d/zz_guacamole.conf
If the virtualhost feature is not enabled there should be no change in zz_guacamole.conf.
EDIT:
Found a difference.
Please try to delete the SSLEngine on
line in /etc/httpd/conf.d/zz_guacamole.conf
and reload httpd.
You can see my changes in the commits on github:
So with this implementation, guacamole is reachable via which url using virtualhost. or is it to be defined during installation?
Also, my case was also with the missing language files, that made my interface look horried.
I updated the wiki entry, the vhost is without path and needs to be setup after install:
https://wiki.nethserver.org/doku.php?id=guacamole#virtual_host
Still couldn’t reproduce this.
No problem, i will just remove it then re-install it. no biggies, if i also knew what i did, we could have made it easier to identify how the error came to be, and how to write about it for anyone who get a similar error in future.
Language issue was resolved.
Now, ho do i assigned a ldap user to a specific conenction
Tried from mobile now but my server blocked me out. Need to check that. I wasn’t able to press a menu button in guacamole on mobile device.
I think in the user settings on bottom you can choose the connections.