Skip to content

cynthia-rempel/guacamole-compose

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

46 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

guacamole-compose

Docker compose project with oeycloak and guacamole

To get started with no configurations, run

./setup.sh

docker-compose up

Requires name resolution to work, so added the following entry to /etc/hosts:

127.0.1.1 guacamole.rfa.net keycloak.rfa.net

Trust the certs

Please add init/guacamole.crt and init/keycloak.crt to your trusted certificates.

Create the guacadmin user in keycloak

# Add the guacadmin user to keycloak with an email
docker exec guacamole-compose_keycloak_1 \
  /opt/jboss/keycloak/bin/kcadm.sh \
  create users \
  -s username=guacadmin@guacadmin \
  -s enabled=true \
  -s email=guacadmin@guacadmin \
  -r master \
  --server https://keycloak.rfa.net:8443/auth \
  --realm master \
  --user admin \
  --password admin

# Set the password
docker exec guacamole-compose_keycloak_1 \
  /opt/jboss/keycloak/bin/kcadm.sh \
  set-password \
  --username guacadmin@guacadmin \
  --new-password guacadmin \
  -r master \
  --server https://keycloak.rfa.net:8443/auth \
  --realm master \
  --user admin \
  --password admin

# Make guacadmin an admin
docker exec guacamole-compose_keycloak_1 \
  /opt/jboss/keycloak/bin/kcadm.sh \
  add-roles \
  --uusername guacadmin@guacadmin \
  --rolename admin \
  -r master \
  --server https://keycloak.rfa.net:8443/auth \
  --realm master \
  --user admin \
  --password admin

Add the guacamole-client

config/keycloak/guacamole-client.json

docker exec guacamole-compose_keycloak_1 \
  /opt/jboss/keycloak/bin/kcadm.sh \
  create clients \
  --file guacamole-client.json \
  -r master \
  --server https://keycloak.rfa.net:8443/auth \
  --realm master \
  --user admin \
  --password admin

TODO: add "read-only" role for keycloak

In current configuration all qery and read-roles.

TODO: make "read-only" role a default role in keycloak

To customize:

Find all instances of rfa.net, and replace them to you're liking

grep -R rfa.net | grep -v Binary

Please note: haproxy sni requires uniq certs for each backend so you'll need separate certs for guacamole and keycloak

To use

Then browsed to:

https://guacamole.rfa.net:8443/guacamole

https://keycloak.rfa.net:8443

To add users


Guacamole uses keycloak for identity, and uses postgres for authorization.

Guacamole's OpenID Connect ... removing the need for users to log into Guacamole
directly. This module must be layered on top of ... that provide connection
information ... database authentication ....

Because of this, users have to be added to both keycloak and postgres.

Reference: https://guacamole.apache.org/doc/gug/openid-auth.html


Adding a user to Postgres

To add users to postgres, add them through the guacamole application.

https://guacamole.rfa.net:8443/guacamole

username: guacadmin@guacadmin

password: guacadmin


Upper right corner, username, settings

Upper right corner, username, settings


Middle top, users, left middle, new user

Middle top, users, left middle, new user


Make sure the username is in email format, make appropriate selections

Make sure the username is in email format, make appropriate selections


Scroll down, continuing to make appropriate selections, then click save

Scroll down, continuing to make appropriate selections, then click save

NOTE: if a connection is under a subgroup, both the subgroup and connection must be checked for the user to create a connection.


Adding user to Keycloak

https://keycloak.rfa.net:8443

Administration Console


Scroll down, click users, view all users, add user

Scroll down, click users, view all users, add user


Make the keycloak user's email match the username and email of guacamole user

Make the keycloak user's email match the username and email of guacamole user

NOTE: The email of the keycloak user must match the username and email of the guacamole user.


Set the password

Set the password

Why doesn't keycloak let you set the password when you create the user ?!?


Adding Connections


Upper right corner, username, settings

Upper right corner, username, settings


Middle top, connections, left, new connection

Middle top, connections, left, new connection


Make an SSH connection

  • Name: some-name

  • Location: the-group

  • Protocol: SSH

  • Max number of connections: 2

  • Max number of connections per user: 2

Reference: https://jasoncoltrin.com/2017/10/04/setup-guacamole-remote-desktop-gateway-on-ubuntu-with-one-script/

Protocol SSH


Set the host

Scroll Down, under the Network Section set the host

Set the host and port

**CLICK SAVE **

Where to send users when you want to tell them RTFM

https://guacamole.apache.org/doc/gug/using-guacamole.html

To uninstall

docker-compose down
./teardown.sh

Reference:

About

Docker compose project with keycloak and guacamole

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages