Contents x
    PIAM Installation
    • 23 May 2024
    • 8 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    PIAM Installation

    • Updated on 23 May 2024
    • 8 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Install CIPAM Server

    • Log in to the Compute Instance over SSH or Lish.

    • Install all required dependencies. For Debian users, replace libjpeg-turbo8-dev with libjpeg62-turbo-dev.

    Required dependencies

    To build a CPAM server, you will need Cairo, libjpeg (or libjpeg-turbo), libpng, and libuuid (or the OSSP UUID library). These libraries are strictly required in all cases.

    1. Download the Guacamole source code.

      https://guacamole.apache.org/releases/1.5.0/

      https://archive.apache.org/dist/guacamole/1.5.0/source/guacamole-client-1.5.0.tar.gz

      https://archive.apache.org/dist/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz

    2. Extract the file and navigate to its directory.

      tar -xvf guacamole-client-1.5.0.tar.gz

      tar -xvf guacamole-server-1.5.0.tar.gz

    3. Build the CPAM Server using the downloaded source files(CIPAM Guacamole server directory).

      sudo ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots

      sudo make

      sudo make install

    4. Update the installed library cache and reload the system

      sudo ldconfig

      sudo systemctl daemon-reload

    5. Start guacd

      sudo systemctl start guacd

      sudo systemctl enable guacd

      Create a directory to store CPAM configuration files and extensions. These directories are used in later steps.

    sudo mkdir -p /etc/guacamole/{extensions,lib}

    Install CIPAM Web App

    1. Install Apache Tomcat.

    2. Download the CPAM Client

      https://archive.apache.org/dist/guacamole/1.5.0/binary/guacamole-1.5.0.war

    3. Move the client to the Tomcat web directory.

      sudo mv guacamole-1.3.0.war /var/lib/tomcat9/webapps/guacamole.war

    4. Restart both Apache Tomcat and Guacd.

      sudo systemctl restart tomcat9 guacd

    Setting up Database Authentication

    While CPAM does support basic user authentication via a user-mapping.xml file, it should only be used for testing. For this guide, we will use production-ready database authentication through MySQL/MariaDB.

    1. Install either MySQL or MariaDB on your system.

      sudo apt install mariadb-server

    2. Run the following command to perform the initial security configuration:

      sudo mysql_secure_installation

      Before populating the database, install the MySQL Connector/J library and Guacamole JDBC authenticator plugin.

    3. Download the MySQL Connector/J (Java Connector). For this guide, download the platform-independent archived file.

      wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz

    4. Extract the tar file and copy it to /etc/guacamole/lib/.

      tar -xf mysql-connector-java-8.0.26.tar.gz

      sudo cp mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar /etc/guacamole/lib/

    5. Download the JDBC auth plugin for Apache Guacamole. This file can be found at http://guacamole.apache.org/releases/ by selecting the release version and then locating the “jdbc” file.

      https://archive.apache.org/dist/guacamole/1.5.0/binary/guacamole-auth-jdbc-1.5.0.tar.gz

    6. Extract the tar file and copy it to /etc/guacamole/extensions/.t

      tar -xf guacamole-auth-jdbc-1.3.0.tar.gz

      sudo mv guacamole-auth-jdbc-1.3.0/mysql/guacamole-auth-jdbc-mysql-1.3.0.jar /etc/guacamole/extensions/

    7. Log in to mysql as the root user.

      mysql -u root -p

      The prompt should change again to MySQL>.

    8. While in the mysql prompt, change the root password, create a database, and create a new user for that database. When running the below commands, replace any instance of password with a secure password string for the mysql root user and the new user for your database, respectively.

      ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';

      CREATE DATABASE guacamole_db;

      CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'password';

      GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';

      FLUSH PRIVILEGES;

      Exit the MySQL prompt by typing quit.

    9. Locate the scheme files in the extracted directory for the JDBC plugin.

      cd guacamole-auth-jdbc-1.3.0/mysql/schema

    10. Import those sql schema files into the MySQL database.

      cat *.sql | mysql -u root -p guacamole_db

    11. Create the properties file for CPAM.

      sudo nano /etc/guacamole/guacamole.properties 

    Extension Directory

    Lib Directory

    1. Restart all related services.

      sudo systemctl restart tomcat9 guacd mysql

    Access CIPAM in a Browser

    CPAM should now be accessible through a web browser. Open your preferred web browser on your local computer.

    Navigate to the URL: [ip]:8080/guacamole, replacing *[ip] with the IP address of your Linode. This will display the login prompt.

    With SSL

    1. Create a new Admin user.

      Note:

      Before continuing with configuring CPAM, it’s recommended that you create a new admin account and delete the original.

      • Click the guacadmin user dropdown menu on the top right and select Settings.

      • Navigate to the Users tab and click the New User button.

      • Under the Edit User section, enter your preferred username and a secure password.

      • Under the Permissions section, check all the permissions.

      • Click Save to create a new user.

      • Log out of the current user and log in as the newly created user.

      • Click your username on the top left and select Settings from the dropdown menu.

      • Navigate to the Users tab and click the guacadmin user.

      • At the bottom of the Edit User screen, click Delete to remove the default user.

    2. Create an SSH Connection

      To test CPAM, create a new connection in CPAM that opens up an SSH connection to the server.

      • After logging in to CPAM, click your username on the top left and select Settings from the dropdown menu.

      • Navigate to the Connections tab and click New Connection.

      • Under Edit Connection, enter a name for your new connection (such as “Guacamole SSH”) and select SSH as the Protocol.

    If you do not wish to build Apache Guacamole entirely from the source, pre-built versions of the web application (.war) and all extensions are provided in binary form for convenience. Please note that the guacamole server must still be built and installed from the source.

    Enabling SAML

    SAML is a widely implemented and used Single Sign On (SSO) provider that allows applications and services to authenticate in a standard way and brokers those authentication requests to one or more back-end authentication providers. The SAML authentication extension allows CPAM to redirect to a SAML Identity Provider (IdP) for authentication and user services. This module does not provide any capability for storing or retrieving connections and must be layered with other authentication extensions that provide connection management.

    Download the SAML authentication extension

    CPAM’s SSO extensions are available separately from the main guacamole.war. The SSO extensions are packaged together in .tar.gz  file containing one extension for each supported SSO method:

    SSO Method

    Extension

    CAS

    cas/guacamole-auth-sso-cas-1.5.1.jar 

    Open ID Connect

    openid/guacamole-auth-sso-openid-1.5.1.jar 

    SAML

    saml/guacamole-auth-sso-saml-1.5.1.jar 

    The extension for the desired SSO method, in this case, guacamole-auth-sso-saml-1.5.1.jar from within the saml/ subdirectory, must ultimately be placed in GUACAMOLE_HOME/extensions.

    Installing SAML authentication

    Guacamole extensions are self-contained .jar files located within the GUACAMOLE_HOME/extensions directory. If you are unsure where GUACAMOLE_HOME is located on your system, please consult Configuring Guacamole before proceeding.

    To install the SAML authentication extension, you must:

    1. Create the GUACAMOLE_HOME/extensions directory, if it does not already exist.

    1. Copy guacamole-auth-sso-saml-1.5.1.jar within GUACAMOLE_HOME/extensions.

    1. Configure Guacamole to use SAML authentication, as described below.

    Configuring CPAM for SAML Authentication

    The SAML authentication extension provides several configuration properties to set it up to talk to the IdP. The SAML IdP also must be configured with CPAM as a Service Provider (SP).

    saml-idp-metadata-url

    The URI of the XML metadata file from the SAML Identity Provider contains all of the information the SAML extension needs to know how to authenticate with the IdP. This URI can either be a remote server (e.g. https://) or a local file on the filesystem (e.g. file://). Often the metadata file contains most of the required properties for SAML authentication and the other parameters are not required.

    saml-idp-url

    The base URL of the SAML IdP. This URL SAML authentication extension will be used to redirect when requesting SAML authentication. If the saml-idp-metadata-url property is provided, this parameter will be ignored. If the metadata file is not provided this property is required.

    saml-entity-id

    The entity ID of the Guacamole SAML client, which is generally the URL of the Guacamole server, is not required to be so. This property is required if either the saml-idp-metadata-url property is not specified, or if the provided metadata file does not contain the SAML SP Entity ID for Guacamole Client.

    saml-callback-url

    The URL that the IdP will use once authentication has succeeded to return to the CPAM web application and provide the authentication details to the SAML extension. The SAML extension currently only supports callback as a POST operation to this callback URL. This property is required.

    saml-strict

    Require strict security checks during SAML logins. This will ensure that valid certificates are present for all interactions with SAML servers and fail SAML authentication if security restrictions are violated. This property is optional and will default to true, requiring strict security checks. This property should only be set to false in non-production environments during testing of SAML authentication.

    saml-debug

    Enable additional logging within the supporting SAML library that can assist in tracking down issues during SAML logins. This property is optional and will default to false (no debugging).

    saml-compress-request

    Enable compression of the HTTP requests sent to the SAML IdP. This property is optional and will default to true (compression enabled).

    saml-compress-response

    Request that the SAML response returned by the IdP be compressed. This property is optional and will default to true (compression will be requested).

    saml-group-attribute

    The name of the attribute provided by the SAML IdP contains the user’s group membership. These groups will be parsed and used to map the group membership of the user logging in, which can be used for permissions management within Guacamole Client, particularly when layered with other authentication modules. This property is optional, and defaults to “groups”.

    Controlling login behaviour

    CPAM loads authentication extensions in order of priority and evaluates authentication attempts in the same order.

    If the SSO extension has priority:

    Users who are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Guacamole login screen.

    If a non-SSO extension has priority:

    Users who are not yet authenticated will be presented with a Guacamole login screen. Additionally, links to the configured identity provider(s) will be available for users who wish to log in using SSO.

    The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority property within guacamole.properties.

    Automatically redirecting all unauthenticated users

    To ensure users are redirected to the SAML identity provider immediately (without a CPAM login screen), ensure the SAML extension has priority over all others:

    extension-priority:*,saml

    Presenting unauthenticated users with a login screen

    To ensure users are given a normal Guacamole login screen and have the option to log in with traditional credentials or with SAML, ensure the SAML extension does not have priority:

    extension-priority: *,saml

    Installing the Recording storage extension

    Guacamole extensions are self-contained .jar files located within the GUACAMOLE_HOME/extensions directory. To install the recording storage extension, you must:

    1. Create the GUACAMOLE_HOME/extensions directory if it does not already exist.

    2. Copy guacamole-history-recording-storage-1.5.1.jar within GUACAMOLE_HOME/extensions.

    3. Configure your connections to store their recordings within the path searched by the recording storage extension, as described below.

    Preparing a directory for recording storage

    By default, the recording storage extension will search within /var/lib/guacamole/recordings for the recordings associated with a connection. Unless you or a third-party installation tool have created this directory, this directory will not exist, and you will need to create it manually:

    mkdir -p /var/lib/guacamole/recordings 

    You can also use another directory of your choice if you override the default location using the recording-search-path property.

    sudo apt install build-essential libcairo2-dev libjpeg-turbo8-dev \

    libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev \

    freerdp2-dev libssh2-1-dev libtelnet-dev libwebsockets-dev \

    libpulse-dev libvorbis-dev libwebp-dev libssl-dev \

    libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev \

    libavformat-dev

    References

    https://guacamole.apache.org/doc/gug/recording-playback.html

    https://www.linode.com/docs/guides/installing-apache-guacamole-on-ubuntu-and-debian/#create-an-ssh-connection

    https://www.layerstack.com/resources/tutorials/How-to-install-Apache-Guacamole-on-Ubuntu-and-Debian

    https://guacamole.apache.org/releases/1.5.0/

    https://guacamole.apache.org/doc/gug/

    https://guacamole.apache.org/doc/gug/saml-auth.html

    Was this article helpful?
    What's Next
    Products
    Resources
    Solutions
    Quick Links
    Connect With Us
    Sales and Support
    © Copyright 2023 Cross Identity