Sv: Guacamole/Json - trouble
Thanks for taking the time to reply. Seems you forgot the part about explaining it to me as if I was 10 🙂 However I find no /etc/guacamole in the container itself and I have no /etc/guacamole on my machine. I kind of assumed that would only appear if I installed guacamole locally. And not finding that folder is part of why I tried to override "GUACAMOLE_HOME" by creating and trying to use ~/.guacamole as per the manual. But from your suggestion, would I just create that folder structure on the machine hosting the docker container and then write my own user-mapping.xml there? And then do some volume-magic in the compose file. No need for some sort of override? /Rick Från: Lee Doughty Skickat: den 13 juni 2022 13:32 Till: user@guacamole.apache.org Ämne: Re: Guacamole/Json - trouble You could use docker-compose to "volume" mount the user-mapping.xml file to /etc/guacamole, and that should work for what you're trying to accomplish. If you don't provide it postgres or any hints that your trying to do another auth system, it should fall back to the XML file. (See https://guacamole.apache.org/doc/gug/configuring-guacamole.html ) You shouldn't need any of the postgres and environment rewrites or your extension...I don't think the JSON approach is a great idea based on your requirements, it's probably overall more complicated than using postgres, as it has a different use case On Mon, Jun 13, 2022, 3:35 AM Rick . mailto:rille_p...@hotmail.com>> wrote: Hi What I'm trying to do is to run guacamole in docker and then feed it with a list of connections on startup in a simple way. A couple of questions: 1. I found a github repository (https://github.com/boschkundendienst/guacamole-docker-compose) that sets things up pretty nicely. It has a docker-compose that uses guacd, postgres, guacamole and nginx containers. Would it be possible to replace the use of postgres with json in this scenario (for authentication and feeding the container with connections)? 2. Assuming that should work. What is the best way to enable json-authentification when running things in docker? When I try to understand the documentation it seems I would need to override GUACAMOLE_HOME in some way. So I tried creating a .guacamole folder in the home directory where I put a guacamole-properties file only containing the following line: json-secret-key: <>. I also created an extensions folder where I put the guacamole-auth-json-1.4.0.jar file. And in the docker-compose file I replace the POSTGRES-variables with "GUACAMOLE: ~/.guacamole" to the environment part for the guacamole container But then the guacamole container won't start and when checking by clicking on the container in docker desktop it gives the folowing error: "FATAL: No authentication configured The Guacamole Docker container needs at least one authentication mechanism in order to function, such as a MySQL database, PostgreSQL database, LDAP directory or RADIUS server. Please specify at least the MYSQL_DATABASE or POSTGRES_DATABASE environment variables, or check Guacamole's Docker documentation regarding configuring LDAP and/or custom extensions." So it seems that my attempt at overriding doesn't quite take effect... I have also attempted to run the compose as is (but with the "GUACAMOLE: ~/.guacamole" part added) and then running "curl --data-urlencode "<>" http://localhost:8443/guacamole/api/tokens"; in an attempt to feed it with connections but then there is an authentication issue for that... Which I assume is also because my attempt at an override isn't working. TL;DR 1. Is it possible to run a combo of guacd, guacamole, nginx in docker and using json for authentication and feeding the guacamole container with users/connections? 2. If possible: how do I enable json-authentification when running guacamole in a docker container? Oh, and please explain to me like i'm 10. New to docker and very new to guacamole... /Rick
Sv: Guacamole/Json - trouble
Thanks to you too. So seems like user-mapping.xml is out and maybe json is back in then.. If I should avoid touching the properties file and overriding the GUACAMOLE_HOME to stay away from unpredictable things. What would be the steps to in my case enable json authentification? Like what would be the environment variable I should add in the compose to get the desired result? No need to copy the guacamole-auth-json-1.4.0.jar file anywhere? Perhaps somehow using its location in the container as an environment variable as well? /Rick
Sv: Guacamole/Json - trouble
Thanks again. I'm onboard with the posting/curling of an encrypted json to the container. I just assumed I could use json to both add a user and connections to the container. But then I guess I still need something like postgres and the init.db file to create the user I then include in the json? Can the connections exist only in the json before posting and get created that way? Or is the json only used as a filter for users and connections all of which are already existing in the container? /Rick Skickat: den 22 juni 2022 18:00 Till: user@guacamole.apache.org Ämne: Re: Guacamole/Json - trouble On Mon, Jun 13, 2022 at 12:40 PM Rick . mailto:rille_p...@hotmail.com>> wrote: Thanks to you too. So seems like user-mapping.xml is out and maybe json is back in then.. If I should avoid touching the properties file and overriding the GUACAMOLE_HOME to stay away from unpredictable things. What would be the steps to in my case enable json authentification? Like what would be the environment variable I should add in the compose to get the desired result? No need to copy the guacamole-auth-json-1.4.0.jar file anywhere? Perhaps somehow using its location in the container as an environment variable as well? In version 1.4.0 of the Docker image, providing the environment variable JSON_SECRET_KEY will automatically load the JSON extension in the Docker image and put the entry in the guacamole.properties file. There's another environment variable - JSON_TRUSTED_NETWORKS - that can also be specified and will result in the proper entry in guacamole.properties. I'm not sure how familiar you are with the JSON extension and how it works - it isn't just a JSON file on the filesystem - the extension allows you to pass JSON data in via a HTTP POST request to the Guacamole API , which contains a user who has been authenticated by an outside system, along with all of the connections that user should see in Guacamole Client. Also, this request must be properly signed, using the secret key, as documented in the manual. https://guacamole.apache.org/doc/gug/json-auth.html -Nick
Sv: Guacamole/Json - trouble
Sounds good and like I was hoping it would work. But I got confused by the "which contains a user who has been authenticated by an outside system" -part of a previous answer from you. And thought that meant the user first had to be created in another way. So back to tinkering 🙂 /Rick Från: Nick Couchman Skickat: den 28 juni 2022 22:32 Till: user@guacamole.apache.org Ämne: Re: Guacamole/Json - trouble On Tue, Jun 28, 2022 at 4:29 PM Rick . mailto:rille_p...@hotmail.com>> wrote: Thanks again. I'm onboard with the posting/curling of an encrypted json to the container. I just assumed I could use json to both add a user and connections to the container. But then I guess I still need something like postgres and the init.db file to create the user I then include in the json? Can the connections exist only in the json before posting and get created that way? Or is the json only used as a filter for users and connections all of which are already existing in the container? No, with the JSON extension you do not need the Postgres/MySQL/SQL Server extension - you can include both the user account information and the connection information all in the JSON data that you post to the extension, and Guacamole will provide those connections to the user. If, however, you want to create other connections in the database module and layer the JSON authentication on top of that, you can certainly do that, as well. But it isn't a requirement - the JSON module should be able to operate on its own without any other supporting modules, either for authentication or connection storage. -Nick
