Difference between revisions of "Cool Solution - Guacamole"
From Univention Wiki
(New UCR variable) |
|||
| Line 1: | Line 1: | ||
{{Version|UCS=4.2}} | {{Version|UCS=4.2}} | ||
{{Cool Solutions Disclaimer|Repository=yes}} | {{Cool Solutions Disclaimer|Repository=yes}} | ||
| − | |||
{{#seo: | {{#seo: | ||
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}} | |title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}} | ||
| Line 59: | Line 58: | ||
|- | |- | ||
| guacamole/external/port || 8080 || Port to which the Guacamole Tomcat should be mapped to | | guacamole/external/port || 8080 || Port to which the Guacamole Tomcat should be mapped to | ||
| + | |- | ||
| + | | guacamole/ldap/user/searchfilter || (objectClass=*) || LDAP search filter to limit login to users matching the search filter | ||
|} | |} | ||
Revision as of 08:40, 28 November 2017
Note: Cool Solutions are articles documenting additional functionality based on Univention products. Packages provided by a Cool Solutions Repository are built by Univention, but will not be maintained.
Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.
Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC and RDP.
The version of Guacamole used in this article is Guacamole 0.9.13-incubating.
Contents
Installation
To successfully deploy and start Guacamole, two images are downloaded via Docker by a joinscript:
- guacd
- guacamole
In this article the following Guacamole docker containers are used:
Package "univention-guacamole-schema"
The package univention-guacamole-schema can only be installed on the following UCS server roles:
- UCS DC Master
- UCS DC Backup
Install the package with the following command:
univention-install univention-guacamole-schema
During the installation, the joinscript "99univention_register_guacamole_schema.inst" is called automatically and registers a new LDAP schema and adds two extended attributes to the UMC which extend the Groups module. After the joinscript is finished existing and new groups can be configured to provide a Guacamole configuration.
Package "univention-guacamole-rollout"
This package univention-guacamole-rollout can be installed in all UCS server roles. The package provides two joinscripts: one which creates a search user for Guacamole, and one which deploys the two containers:
- guacd
- guacamole
Install the package with the following command:
univention-install univention-guacamole-rollout
Creating the searchuser
The joinscript "98univention-guacamole-searchuser.inst" checks if the searchuser is already present in the LDAP. If not, the searchuser is created as a "Simple authentication account" user and the password is saved in the file /etc/guacamole.secret.
Attention: If the package univention-guacamole-rollout is installed on a second server, the file /etc/guacamole.secret must be copied by hand, else the joinscript "99univention_install_guacamole.inst" will fail with an error message in the join.log file.
Deploying Guacamole
The joinscript "99univention_install_guacamole-inst" must be executed either by running the joinscript via the UMC or on the shell via univention-run-join-scripts. The reaseon for this behaviour is that some Guacamole UCR variables should be checked first:
| UCR variable | Default value | Description |
|---|---|---|
| guacamole/user/dn | cn=users,dc=example,dc=com | Top-most DN to search for users |
| guacamole/config/base/dn | cn=groups,dc=example,dc=com | DN for configuration groups |
| guacamole/ldap/username/attribute | uid | Attribute to map usernames to |
| guacamole/external/port | 8080 | Port to which the Guacamole Tomcat should be mapped to |
| guacamole/ldap/user/searchfilter | (objectClass=*) | LDAP search filter to limit login to users matching the search filter |
After any of these variables is changed, univention-guacamole-renew must be run to recreate the Guacamole container. Additionally, when the UCR variable guacamole/external/port is changed, the Apache2 webserver must be reloaded:
systemctl reload apache2.service
Guacamole can be accessed from the Univention Portal.
Configuration
Start by editing an existing group, or by creating a new group. On the tab Guacamole the protocol and parameter can be edited. Every user, that is a direct member of this group can access this configuration. Only one connection can be configured for a group.
RDP
At least the following parameters must be provided for the connection to success:
- hostname
For a full list of parameters, please have a look at the Guacamole manual.
Telnet
At least the following parameters must be provided for the connection to success:
- hostname
- port
For a full list of parameters, please have a look at the Guacamole manual.
SSH
At least the following parameters must be provided for the connection to success:
- hostname
For a full list of parameters, please have a look at the Guacamole manual.
VNC
At least the following parameters must be provided for the connection to success:
- hostname
- port
For a full list of parameters, please have a look at the Guacamole manual.
Archive
There is a version of this article for UCS 4.1.
