Cool Solution - Guacamole

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.2

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC and RDP.

The version of Guacamole used in this article is Guacamole 0.9.13-incubating.

Installation

To successfully deploy and start Guacamole, two images are downloaded via Docker by a joinscript:

  • guacd
  • guacamole

In this article the following Guacamole docker containers are used:

Package "univention-guacamole-schema"

The package univention-guacamole-schema can only be installed on the following UCS server roles:

  • UCS DC Master
  • UCS DC Backup

Install the package with the following command:

univention-install univention-guacamole-schema

During the installation, the joinscript "99univention_register_guacamole_schema.inst" is called automatically and registers a new LDAP schema and adds two extended attributes to the UMC which extend the Groups module. After the joinscript is finished existing and new groups can be configured to provide a Guacamole configuration.

Package "univention-guacamole-rollout"

This package univention-guacamole-rollout can be installed in all UCS server roles. The package provides two joinscripts: one which creates a search user for Guacamole, and one which deploys the two containers:

  • guacd
  • guacamole

Install the package with the following command:

univention-install univention-guacamole-rollout

Creating the searchuser

The joinscript "98univention-guacamole-searchuser.inst" checks if the searchuser is already present in the LDAP. If not, the searchuser is created as a "Simple authentication account" user and the password is saved in the file /etc/guacamole.secret.

Attention: If the package univention-guacamole-rollout is installed on a second server, the file /etc/guacamole.secret must be copied by hand, else the joinscript "99univention_install_guacamole.inst" will fail with an error message in the join.log file.

Deploying Guacamole

The joinscript "99univention_install_guacamole-inst" must be executed either by running the joinscript via the UMC or on the shell via univention-run-join-scripts. The reason for this behaviour is that some Guacamole UCR variables should be checked first:

UCR variable Default value Description
guacamole/user/dn cn=users,dc=example,dc=com Top-most DN to search for users
guacamole/config/base/dn cn=groups,dc=example,dc=com DN for configuration groups
guacamole/ldap/username/attribute uid Attribute to map usernames to
guacamole/external/port 8080 Port to which the Guacamole Tomcat should be mapped to
guacamole/ldap/user/searchfilter (objectClass=*) LDAP search filter to limit login to users matching the search filter

After any of these variables is changed, univention-guacamole-renew must be run to recreate the Guacamole container. Additionally, when the UCR variable guacamole/external/port is changed, the Apache2 webserver must be reloaded:

systemctl reload apache2.service

Guacamole can be accessed from the Univention Portal.

Configuration

Start by editing an existing group, or by creating a new group. On the tab Guacamole the protocol and parameter can be edited. Every user, that is a direct member of this group can access this configuration. Only one connection can be configured for a group.

RDP

At least the following parameters must be provided for the connection to success:

  • hostname

For a full list of parameters, please have a look at the Guacamole manual.

Telnet

At least the following parameters must be provided for the connection to success:

  • hostname
  • port

For a full list of parameters, please have a look at the Guacamole manual.

SSH

At least the following parameters must be provided for the connection to success:

  • hostname

For a full list of parameters, please have a look at the Guacamole manual.

VNC

At least the following parameters must be provided for the connection to success:

  • hostname
  • port

For a full list of parameters, please have a look at the Guacamole manual.

Archive

There is a version of this article for UCS 4.1.

Personal tools