Examples. Guacamole
Guacamole is an HTML5 web application that provides access to desktop environments using remote desktop protocols (such as VNC or RDP). This page shows how you can configure Apache Guacamole to authenticate users and add remote desktop configurations with Glim. Apache Guacamole's documentation provides full information about LDAP configuration. Here we offer a full example where Glim is used to store users that are authenticated and guacConfigGroups that specify how remote desktops are set. In this example, MySQL is not used, only Glim.
NOTE: Glim cannot talk with Apache Guacamole using TLS (see issue #72) so we'll use Glim LDAP without encryption using --ldap-no-tls flag
NOTE: Glim must be started with --guacamole flag to show Guacamole information when we create, read or update groups
This a sample Glim server start:
GLIM_API_SECRET="secret" ./glim server start --ldap-no-tls --guacamoleFollowing documentation we'll use Docker to launch Guacd and Guacamole
docker run --name some-guacd -d -p 4822:4822 guacamole/guacdThe container is launched using some environment variables that are documented at https://guacamole.apache.org/doc/gug/ldap-auth.html
docker run -d -e LDAP_HOSTNAME=192.168.1.136 -e LDAP_PORT=1636 -e LDAP_ENCRYPTION_METHOD="none" -e LDAP_USER_BASE_DN="ou=Users,dc=example,dc=org" -e LDAP_GROUP_BASE_DN="ou=Groups,dc=example,dc=org" -e LDAP_SEARCH_BIND_DN="cn=search,dc=example,dc=org" -e LDAP_SEARCH_BIND_PASSWORD="test" -e LDAP_USERNAME_ATTRIBUTE="uid" -e LDAP_CONFIG_BASE_DN="ou=Groups,dc=example,dc=org" -p 8080:8080 --name some-guacamole --link some-guacd:guacd guacamole/guacamoleNow that our servers are running, we can add a remote desktop configuration using Glim commands. We'll create a group adding Guacamole configurations (ports and parameters):
/glim group create -g guac-test -d "Guacamole Test" -m "mcabrerizo" --guacamole-protocol vnc --guacamole-parameters "hostname=localhost,port=5900,password=secret"
./glim group create -g guac-test-2 -d "Guacamole Test 2" -m "mcabrerizo" --guacamole-protocol vnc --guacamole-parameters "hostname=192.168.1.136,port=5900,password=secret"
./glim group create -g guac-test-3 -d "Guacamole Test 3" -m "mcabrerizo" --guacamole-protocol vnc --guacamole-parameters "hostname=192.168.1.136,port=22,password=secret"Using the above commands members of the previous groups can see connections ready to be used from Apache Guacamole's web interface.
Glim can give us details about this new group:
Group: guac-test
====
GID: 7
Description: Guacamole Test
Members:
====
UID: 3
Username: mcabrerizo
----
Apache Guacamole Configuration:
====
Protocol: vnc
Parameters:
- hostname=localhost
- port=5900
- password=secret
----
If we go now to Apache Guacamole's web UI we can log in using a user stored in Glim and see connections ready to be used that are also stored in Glim:
Sample log showing successful authentication, user information retrieval, getting groups...:
2022-10-15T21:44:13+02:00 [Glim] ⇨ connected to database...
2022-10-15T21:44:13+02:00 [Glim] ⇨ connected to key-value store...
2022-10-15T21:44:13+02:00 [Glim] ⇨ enabled support for Apache Guacamole...
2022-10-15T21:44:13+02:00 [Glim] ⇨ starting LDAP server in address :1636...
2022-10-15T21:44:13+02:00 [Glim] ⇨ starting REST API in address :1323...
2022-10-15T21:44:34+02:00 [LDAP] ⇨ serving LDAPS connection from 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind requested by client: 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind protocol version: 3 client 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind name: cn=search,dc=example,dc=org client 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind password: ********** client 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ success: valid credentials provided
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search requested by client 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search base object: ou=Users,dc=example,dc=org
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search scope: wholeSubtree
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search maximum number of entries to be returned (0 - No limit restriction): 1000
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search maximum time limit (0 - No limit restriction): 30
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search show types only: false
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search filter: (&(|(memberOf=cn=guac-test,ou=Groups,dc=example,dc=org)(memberOf=cn=guac-test-2,ou=Groups,dc=example,dc=org))(|(uid=mcabrerizo)))
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search attributes: dn
2022-10-15T21:44:34+02:00 [LDAP] ⇨ connection closed by client 172.17.0.7:42460
2022-10-15T21:44:34+02:00 [LDAP] ⇨ serving LDAPS connection from 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind requested by client: 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind protocol version: 3 client 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind name: uid=mcabrerizo,ou=Users,dc=example,dc=org client 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind password: ********** client 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ success: valid credentials provided
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search requested by client 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search base object: ou=Groups,dc=example,dc=org
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search scope: wholeSubtree
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search maximum number of entries to be returned (0 - No limit restriction): 1000
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search maximum time limit (0 - No limit restriction): 30
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search show types only: false
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search filter: (&(&(objectClass=*)(!(objectClass=guacConfigGroup)))(|(member=uid=mcabrerizo,ou=Users,dc=example,dc=org)))
2022-10-15T21:44:34+02:00 [LDAP] ⇨ search attributes: member cn
2022-10-15T21:44:34+02:00 [LDAP] ⇨ connection closed by client 172.17.0.7:42476
2022-10-15T21:44:34+02:00 [LDAP] ⇨ serving LDAPS connection from 172.17.0.7:42490
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind requested by client: 172.17.0.7:42490
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind protocol version: 3 client 172.17.0.7:42490
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind name: uid=mcabrerizo,ou=Users,dc=example,dc=org client 172.17.0.7:42490
2022-10-15T21:44:34+02:00 [LDAP] ⇨ bind password: ********** client 172.17.0.7:42490
2022-10-15T21:44:35+02:00 [LDAP] ⇨ success: valid credentials provided
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search requested by client 172.17.0.7:42490
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search base object: ou=Users,dc=example,dc=org
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search scope: wholeSubtree
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum number of entries to be returned (0 - No limit restriction): 1000
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum time limit (0 - No limit restriction): 30
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search show types only: false
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search filter: (&(|(memberOf=cn=guac-test,ou=Groups,dc=example,dc=org)(memberOf=cn=guac-test-2,ou=Groups,dc=example,dc=org))(|(uid=*)))
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search attributes: uid
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search requested by client 172.17.0.7:42490
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search base object: ou=Groups,dc=example,dc=org
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search scope: wholeSubtree
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum number of entries to be returned (0 - No limit restriction): 1000
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum time limit (0 - No limit restriction): 30
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search show types only: false
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search filter: (&(&(objectClass=*)(!(objectClass=guacConfigGroup)))(|(cn=*)))
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search attributes: member cn
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search requested by client 172.17.0.7:42490
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search base object: ou=Groups,dc=example,dc=org
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search scope: wholeSubtree
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum number of entries to be returned (0 - No limit restriction): 1000
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum time limit (0 - No limit restriction): 30
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search show types only: false
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search filter: (&(&(objectClass=*)(!(objectClass=guacConfigGroup)))(|(member=uid=mcabrerizo,ou=Users,dc=example,dc=org)))
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search attributes: member cn
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search requested by client 172.17.0.7:42490
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search base object: ou=Groups,dc=example,dc=org
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search scope: wholeSubtree
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum number of entries to be returned (0 - No limit restriction): 1000
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search maximum time limit (0 - No limit restriction): 30
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search show types only: false
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search filter: (&(objectClass=guacConfigGroup)(|(member=uid=mcabrerizo,ou=Users,dc=example,dc=org)(seeAlso=cn=devel,ou=Groups,dc=example,dc=org)(seeAlso=cn=gitea-admins,ou=Groups,dc=example,dc=org)(seeAlso=cn=one,ou=Groups,dc=example,dc=org)(seeAlso=cn=oneadmin,ou=Groups,dc=example,dc=org)))
2022-10-15T21:44:35+02:00 [LDAP] ⇨ search attributes: guacConfigParameter guacConfigProtocol cn seeAlso
2022-10-15T21:44:35+02:00 [LDAP] ⇨ connection closed by client 172.17.0.7:42490