Installing PostgreSQL for Guacamole Authentication

Instructions for installing PostgreSQL in Guacamole for Authentication

CentOS and RHEL both provide a package for the PostgreSQL database server called "postgresql-server". Installing this package will install a version of PostgreSQL that is explicitly supported by Keeper Connection Manager. If you do not have an existing database instance or third-party database hosting provider that you would prefer to use, installing a fresh instance of PostgreSQL for use by Guacamole will work nicely:

$ sudo yum install postgresql-server

As with other standard CentOS / RHEL packages providing a service, the PostgreSQL service will not be started by default after the "postgresql-server" package is installed. However, if you attempt to start the PostgreSQL service now, the service will fail to start as PostgreSQL's database has not yet been created and initialized. This must be done manually with the "postgresql-setup" command:

$ sudo postgresql-setup initdb

Once the database has been initialized, the service can be safely started and configured to start automatically if the system is rebooted:

$ sudo systemctl start postgresql
$ sudo systemctl enable postgresql

Configuring PostgreSQL to accept password authentication locally

If PostgreSQL is installed locally (on the same server as Apache Guacamole), its default configuration will prevent Guacamole from authenticating. This is because PostgreSQL can be configured to use different authentication mechanisms for connections coming from different networks or addresses, and the default configuration uses "ident" authentication for connections from the local machine. The "ident" method is incompatible with providing a database username and password via TCP, which will result in Guacamole being unable to connect to PostgreSQL.

Edit PostgreSQL's main configuration file, /var/lib/pgsql/data/pg_hba.conf, looking for the lines which associate IPv4 or IPv6 loopback addresses with "ident":

host    all     all     127.0.0.1/32    ident
host    all     all     ::1/128         ident

The keyword ident should be changed to md5 to allow username/password authentication for local connections:

host    all     all     127.0.0.1/32    md5
host    all     all     ::1/128         md5

PostgreSQL will then need to be restarted to apply these changes:

$ sudo systemctl restart postgresql

Pointing Guacamole at the new PostgreSQL instance

Once PostgreSQL has been deployed, you should move forward with configuring Guacamole to use your new PostgreSQL instance. This process is documented in its entirety, and the default /etc/guacamole/guacamole.properties file also contains placeholders and comments to help guide administrators to the correct configuration properties. Overall, the process will involve:

  • Installing the package providing PostgreSQL support (kcm-guacamole-auth-jdbc-postgresql).

  • Creating a new database within your PostgreSQL instance using the provided schema files.

  • Creating a database user that Guacamole can use to execute queries against your database.

  • Editing /etc/guacamole/guacamole.properties to point Guacamole at your database (and to specify the credentials of the database user it should use).

Last updated