Guacamole with LDAP

guacamole Nov 16, 2020

If you've come across this page then you probably know what Guacamole is. If not it's a VNC, RDP etc session manager. However when you pair it with LDAP it becomes an organisation wide management tool.

How to install it? For this I used an Ubuntu 20.04 VM.

vcpu - 2 cores

RAM - 4GB

HDD - 15GB

Install Guacamole

Head over to thi repo - https://github.com/MysticRyuujin/guac-install

SSH onto your Ubuntu VM

Sudo su (keep you logged in as root user)

-apt-get update && apt-get upgrade -y

wget https://git.io/fxZq5 -O guac-install.sh

chmod +x guac-install.sh

./guac-install.sh

It will ask you to create a MySQL password and a guacadmin password during the installation. It can take some time.

Once completed check that you can access the WebGui using http://**IP ADDRESS**:8080/guacamole

password was set earlier or default is guacadmin/guacadmin

Install LDAP extension

SSH onto your Ubuntu VM with Guacamole installed

wget http://apache.mirror.iphh.net/guacamole/1.2.0/binary/guacamole-auth-ldap-1.2.0.tar.gz

As of writing this Guacamole version 1.2.0 is the latest

tar xvzf guacamole-auth-ldap-1.2.0.tar.gz

cp /home/**USERNAME**/guacamole-auth-ldap-1.2.0/guacamole-auth-ldap-1.2.0.jar /etc/guacamole/extensions/

change username above to suite your install

Open the guacamole.properties in your favourite editor

nano /etc/guacamole/guacamole.properties

add the following

auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider

ldap-hostname:           YOUR_LDAP_SERVER

ldap-port:               389
ldap-user-base-dn:       OU=your user accounts,DC=mydomain,DC=com

ldap-username-attribute: sAMAccountName
ldap-search-bind-dn:     CN=MyUSER01,OU=Users,DC=mydomain,DC=com

ldap-search-bind-password: MyUSER01 password

ldap-user-attributes: sAMAccountName, givenName, sn, mail

Save the file and exit

Restart the tomcat service

systemctl restart tomcat9

Guacamole WebGui

Log back into Guacamole again now with your LDAP account

You will then need to log out and log in as the guacamole admin to give your LDAP account admin access.

LDAP Connections

To pass through your LDAP credentials on a RDP connection you need to use tokens.

Configure a Connection

Name - My server

Protocol - RDP

Network Hostname - **IP Address*

Port 3389 (for RDP)

Authentication username - ${GUAC_USERNAME}

Authentication password - ${GUAC_PASSWORD}

Authentication domain - mydomain (change it to yours)

Display - Resize method - Display update.....

Save the connection and test.

Tags

Peter Evans