Docker compose project with oeycloak and guacamole
./setup.sh
docker-compose up
Requires name resolution to work, so added the following entry to /etc/hosts
:
127.0.1.1 guacamole.rfa.net keycloak.rfa.net
Please add init/guacamole.crt and init/keycloak.crt to your trusted certificates.
# Add the guacadmin user to keycloak with an email
docker exec guacamole-compose_keycloak_1 \
/opt/jboss/keycloak/bin/kcadm.sh \
create users \
-s username=guacadmin@guacadmin \
-s enabled=true \
-s email=guacadmin@guacadmin \
-r master \
--server https://keycloak.rfa.net:8443/auth \
--realm master \
--user admin \
--password admin
# Set the password
docker exec guacamole-compose_keycloak_1 \
/opt/jboss/keycloak/bin/kcadm.sh \
set-password \
--username guacadmin@guacadmin \
--new-password guacadmin \
-r master \
--server https://keycloak.rfa.net:8443/auth \
--realm master \
--user admin \
--password admin
# Make guacadmin an admin
docker exec guacamole-compose_keycloak_1 \
/opt/jboss/keycloak/bin/kcadm.sh \
add-roles \
--uusername guacadmin@guacadmin \
--rolename admin \
-r master \
--server https://keycloak.rfa.net:8443/auth \
--realm master \
--user admin \
--password admin
config/keycloak/guacamole-client.json
docker exec guacamole-compose_keycloak_1 \
/opt/jboss/keycloak/bin/kcadm.sh \
create clients \
--file guacamole-client.json \
-r master \
--server https://keycloak.rfa.net:8443/auth \
--realm master \
--user admin \
--password admin
In current configuration all qery and read-roles.
Find all instances of rfa.net, and replace them to you're liking
grep -R rfa.net | grep -v Binary
Please note: haproxy sni requires uniq certs for each backend so you'll need separate certs for guacamole and keycloak
Then browsed to:
https://guacamole.rfa.net:8443/guacamole
Guacamole uses keycloak for identity, and uses postgres for authorization.
Guacamole's OpenID Connect ... removing the need for users to log into Guacamole
directly. This module must be layered on top of ... that provide connection
information ... database authentication ....
Because of this, users have to be added to both keycloak and postgres.
Reference: https://guacamole.apache.org/doc/gug/openid-auth.html
To add users to postgres, add them through the guacamole application.
https://guacamole.rfa.net:8443/guacamole
username: guacadmin@guacadmin
password: guacadmin
Upper right corner, username, settings
Middle top, users, left middle, new user
Make sure the username is in email format, make appropriate selections
Scroll down, continuing to make appropriate selections, then click save
NOTE: if a connection is under a subgroup, both the subgroup and connection must be checked for the user to create a connection.
Administration Console
Scroll down, click users, view all users, add user
Make the keycloak user's email match the username and email of guacamole user
NOTE: The email of the keycloak user must match the username and email of the guacamole user.
Set the password
Why doesn't keycloak let you set the password when you create the user ?!?
Upper right corner, username, settings
Middle top, connections, left, new connection
Make an SSH connection
-
Name: some-name
-
Location: the-group
-
Protocol: SSH
-
Max number of connections: 2
-
Max number of connections per user: 2
Set the host
Scroll Down, under the Network Section set the host
https://guacamole.apache.org/doc/gug/using-guacamole.html
docker-compose down
./teardown.sh
- https://github.com/airaketa/guacamole-docker-compose/tree/5aac1dccbd7b89b54330155270a4684829de1442
- https://lemonldap-ng.org/documentation/latest/applications/guacamole https://guacamole.apache.org/doc/gug/administration.html#connection-management
- https://jasoncoltrin.com/2017/10/04/setup-guacamole-remote-desktop-gateway-on-ubuntu-with-one-script/