Re: Guacamole/Json - trouble
On Tue, Jun 28, 2022 at 4:29 PM Rick . wrote: > Thanks again. I'm onboard with the posting/curling of an encrypted json to > the container. I just assumed I could use json to both add a user and > connections to the container. But then I guess I still need something like > postgres and the init.db file to create the user I then include in the > json? Can the connections exist only in the json before posting and get > created that way? Or is the json only used as a filter for users and > connections all of which are already existing in the container? > No, with the JSON extension you do not need the Postgres/MySQL/SQL Server extension - you can include both the user account information and the connection information all in the JSON data that you post to the extension, and Guacamole will provide those connections to the user. If, however, you want to create other connections in the database module and layer the JSON authentication on top of that, you can certainly do that, as well. But it isn't a requirement - the JSON module should be able to operate on its own without any other supporting modules, either for authentication or connection storage. -Nick >
Re: Guacamole/Json - trouble
On Mon, Jun 13, 2022 at 12:40 PM Rick . wrote: > > Thanks to you too. So seems like user-mapping.xml is out and maybe json is > back in then.. If I should avoid touching the properties file and > overriding the GUACAMOLE_HOME to stay away from unpredictable things. What > would be the steps to in my case enable json authentification? Like what > would be the environment variable I should add in the compose to get the > desired result? No need to copy the guacamole-auth-json-1.4.0.jar file > anywhere? Perhaps somehow using its location in the container as an > environment variable as well? > In version 1.4.0 of the Docker image, providing the environment variable JSON_SECRET_KEY will automatically load the JSON extension in the Docker image and put the entry in the guacamole.properties file. There's another environment variable - JSON_TRUSTED_NETWORKS - that can also be specified and will result in the proper entry in guacamole.properties. I'm not sure how familiar you are with the JSON extension and how it works - it isn't just a JSON file on the filesystem - the extension allows you to pass JSON data in via a HTTP POST request to the Guacamole API , which contains a user who has been authenticated by an outside system, along with all of the connections that user should see in Guacamole Client. Also, this request must be properly signed, using the secret key, as documented in the manual. https://guacamole.apache.org/doc/gug/json-auth.html -Nick
Re: Guacamole/Json - trouble
On Mon, Jun 13, 2022 at 7:32 AM Lee Doughty wrote: > You could use docker-compose to "volume" mount the user-mapping.xml file > to /etc/guacamole, and that should work for what you're trying to > accomplish. If you don't provide it postgres or any hints that your trying > to do another auth system, it should fall back to the XML file. (See > https://guacamole.apache.org/doc/gug/configuring-guacamole.html ) > > I would not use user-mapping.xml in any sort of production or extended environment. It's really intended to make sure you get Guacamole working, and then you should use one of the other extensions. > > You shouldn't need any of the postgres and environment rewrites or your > extension...I don't think the JSON approach is a great idea based on your > requirements, it's probably overall more complicated than using postgres, > as it has a different use case > > The Guacamole Docker image takes care of writing the guacamole.properties file on its own with the values you provide in the environment variables. Attempting to generate your own, map GUACAMOLE_HOME, etc., is likely to result in odd and unpredictable behavior. -NIck
Re: Guacamole/Json - trouble
You could use docker-compose to "volume" mount the user-mapping.xml file to /etc/guacamole, and that should work for what you're trying to accomplish. If you don't provide it postgres or any hints that your trying to do another auth system, it should fall back to the XML file. (See https://guacamole.apache.org/doc/gug/configuring-guacamole.html ) You shouldn't need any of the postgres and environment rewrites or your extension...I don't think the JSON approach is a great idea based on your requirements, it's probably overall more complicated than using postgres, as it has a different use case On Mon, Jun 13, 2022, 3:35 AM Rick . wrote: > Hi > What I'm trying to do is to run guacamole in docker and then feed it with > a list of connections on startup in a simple way. > > A couple of questions: > > 1. I found a github repository ( > https://github.com/boschkundendienst/guacamole-docker-compose) that sets > things up pretty nicely. It has a docker-compose that uses guacd, postgres, > guacamole and nginx containers. Would it be possible to replace the use of > postgres with json in this scenario (for authentication and feeding the > container with connections)? > > 2. Assuming that should work. What is the best way to enable > json-authentification when running things in docker? > > When I try to understand the documentation it seems I would need to > override GUACAMOLE_HOME in some way. So I tried creating a .guacamole > folder in the home directory where I put a guacamole-properties file only > containing the following line: json-secret-key: < value key>>. I also created an extensions folder where I put the > guacamole-auth-json-1.4.0.jar file. And in the docker-compose file I > replace the POSTGRES-variables with "GUACAMOLE: ~/.guacamole" to the > environment part for the guacamole container But then the guacamole > container won't start and when checking by clicking on the container in > docker desktop it gives the folowing error: > > "FATAL: No authentication configured > The Guacamole Docker container needs at least one authentication mechanism > in order to function, such as a MySQL database, > PostgreSQL database, LDAP directory or RADIUS server. Please specify at > least the MYSQL_DATABASE or POSTGRES_DATABASE environment > variables, or check Guacamole's Docker documentation regarding configuring > LDAP and/or custom extensions." > > So it seems that my attempt at overriding doesn't quite take effect... > > I have also attempted to run the compose as is (but with the "GUACAMOLE: > ~/.guacamole" part added) and then running > "curl --data-urlencode "<>" > http://localhost:8443/guacamole/api/tokens; in an attempt to feed it with > connections but then there is an authentication issue for that... Which I > assume is also because my attempt at an override isn't working. > > TL;DR > 1. Is it possible to run a combo of guacd, guacamole, nginx in docker and > using json for authentication and feeding the guacamole container with > users/connections? > 2. If possible: how do I enable json-authentification when running > guacamole in a docker container? > > Oh, and please explain to me like i'm 10. New to docker and very new to > guacamole... > > /Rick >
