Installing MariaDB for Guacamole Authentication

CentOS and RHEL both provide a package for the MariaDB database server called "mariadb-server". Installing this package will install a version of MariaDB that is explicitly supported by Keeper Connection Manager. If you do not have an existing database instance or third-party database hosting provider that you would prefer to use, installing a fresh instance of MariaDB for use by Guacamole will work nicely:

$ sudo yum install mariadb-server

As with other standard CentOS / RHEL packages providing a service, the MariaDB service will not be started by default after the "mariadb-server" package is installed. It must be started manually, and then configured to automatically start if the system is rebooted:

$ sudo systemctl start mariadb
$ sudo systemctl enable mariadb

Dropping default anonymous users

If MariaDB is installed locally (on the same server as Apache Guacamole), its default configuration will prevent Guacamole from authenticating. This is due to the way that MariaDB handles authentication and anonymous database users: if an anonymous user is defined for the same hostname/address, MariaDB will use only the anonymous user, and authentication using a non-anonymous user and password from the same hostname/address will fail.

This can be checked by querying MariaDB's user table directly:

SELECT Host, User FROM mysql.user;

Any users with empty usernames in the results of the above query are anonymous users which may block authentication from succeeding:

+---------------------+----------------+
| Host                | User           |
+---------------------+----------------+
| %                   | guacamole_user |
| 127.0.0.1           | root           |
| ::1                 | root           |
| the.server.hostname |                |
| the.server.hostname | root           |
| localhost           |                |
| localhost           | root           |
+---------------------+----------------+

Dropping those users should allow non-anonymous authentication from those same hosts to succeed:

DROP USER ''@'localhost';
DROP USER ''@'the.server.hostname';
FLUSH PRIVILEGES;

Pointing Guacamole at the new MariaDB instance

Once MariaDB has been deployed, you should move forward with configuring Guacamole to use your new MariaDB instance. This process is documented in its entirety, and the default /etc/guacamole/guacamole.properties file also contains placeholders and comments to help guide administrators to the correct configuration properties. Overall, the process will involve:

  • Installing the package providing MySQL / MariaDB support (kcm-guacamole-auth-jdbc-mysql).

  • Creating a new database within your MariaDB instance using the provided schema files.

  • Creating a database user that Guacamole can use to execute queries against your database.

  • Editing /etc/guacamole/guacamole.properties to point Guacamole at your database (and to specify the credentials of the database user it should use).

Last updated