Guacamole Apache LDAP Assignment

Question

I have managed to setup ldap authentication with my active directory server running server 2016. I can authenticate to guacamole perfectly with AD accounts.

Now comes assigning the AD users desktops. We are using RDP on all of the connections. What I would like to do is present each user with their own work desktop. I have managed to use the user-mappings.xml file to map a desktop to an Ldap user. But I have to add the plaintext password into the file, which isn't great from a security standpoint or if the user changes their password.

This is an example of what my user-mappings.xml looks like for an LDAP user:

<authorize username="USERNAME" password="PASSWORD">
        <protocol>rdp</protocol>
        <param name="hostname">x.x.x.x</param>
        <param name="port">3389</param>
        <param name="security">tls</param>                  
</authorize>

The problem is the USERNAME and PASSWORD part at the top. Is there any way that I can do this without specifying the username and password for the user?

Please could someone explain to me how I can assign ldap users domain joined desktops. I tired using a Google docs tutorial but when it came to editing the schema on Active Directory I got a load of errors. Does anyone have an up to date tutorial?

Answer 1

Parameter tokens

(http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens)

The values of connection parameters can contain "tokens" which will be replaced by Guacamole when used. These tokens allow the values of connection parameters to vary dynamically by the user using the connection, and provide a simple means of forwarding authentication information without storing that information in the connection configuration itself, so long as the remote desktop connection uses the same credentials as Guacamole.

Each token is of the form ${TOKEN_NAME}, where TOKEN_NAME is some descriptive name for the value the token represents. Tokens with no corresponding value will never be replaced, but should you need such text within your connection parameters, and wish to guarantee that this text will not be replaced with a token value, you can escape the token by adding an additional leading "$", as in "$${TOKEN_NAME}".

${GUAC_USERNAME}

The username of the current Guacamole user. When a user accesses a connection, this token will be dynamically replaced with the username they provided when logging in to Guacamole.

${GUAC_PASSWORD}

The password of the current Guacamole user. When a user accesses a connection, this token will be dynamically replaced with the password they used when logging in to Guacamole.

Answer 2

Use NLA security on guacamole user-mapping.xml: https://guacamole.apache.org/doc/0.9.0/gug/configuring-guacamole.html

Ldap: https://i12bretro.github.io/tutorials/0140.html --> You need to know how to use Attribute Editor on Active Directory to fill out the fields.

go to http://yourserverhere:8080/guacamole

login with admin user:

delete:

#<param name="username">adminapg</param>
#<param name="password">ThePasswordHere</param> 

------------------
# User-Mapping.xml

<user-mapping>
<authorize
username="admin"
password="copy hash md5 here"
encoding="md5">

<connection name="CentOS7">
<protocol>ssh</protocol>
<param name="hostname">120.120.10.246</param>
<param name="port">22</param>
<param name="username">root</param>
</connection>
<connection name="Windows Server">
<protocol>rdp</protocol>
<param name="hostname">120.120.12.102</param>
<param name="port">3389</param>
#<param name="username">adminapg</param>
<param name="security">nla</param>
<param name="domain">thedomainhere.com</param>
<param name="server-layout">en-us-qwerty</param>
#<param name="password">ThePasswordHere</param>
<param name="ignore-cert">true</param>
</connection>
</authorize>
</user-mapping>