Advanced Configuration
Advanced configuration and custom integration options
Apache Guacamole is configured using files within the /etc/guacamole directory, commonly referred to as GUACAMOLE_HOME. The two primary components of the Apache Guacamole stack, guacd and the Guacamole web application, both have their own dedicated configuration files within /etc/guacamole. Keeper Connection Manager includes default, skeleton versions of these files.
The configuration file for the Apache Guacamole proxy daemon, "guacd". This file and the guacd service are provided by the kcm-guacd package.
The configuration file for the Apache Guacamole web application. This file and the Guacamole web application are provided by the kcm package.
A YAML file describing the LDAP servers available to authenticate Guacamole users. As the full details of a single LDAP server can be described using guacamole.properties, this file is primarily of use if multiple LDAP servers need to be used, particularly if the set of users available may vary by LDAP server. A skeleton version of this file is provided by the kcm-guacamole-auth-ldap package.
An XML mapping of users to connections which Apache Guacamole can use by default without any additional extensions, primarily intended for initial testing. A skeleton version of this file is provided by the kcm package.
Production use of this file is not recommended.
Installing and configuring included extensions
Supported extensions, such as those provided by the Keeper Connection Manager packages, are installed through installing their corresponding packages. If you are using the keeper/guacamole Docker image, extensions are automatically installed using the above packages depending on the environment variables provided when the container is first started.
The Keeper Connection Manager packages for supported extensions will automatically create symbolic links to install themselves and any needed libraries/drivers. You do not need to manually create links, copy files, etc. for the extensions which are provided within the Keeper Connection Manager repository.
Installing custom / third-party extensions
Custom extensions, such as custom branding provided as part of a Keeper Connection Manager subscription, are installed by placing their corresponding .jar files within /etc/guacamole/extensions. If those extensions require additional libraries, such as JDBC drivers, the .jar files for those libraries are placed within /etc/guacamole/lib.
/etc/guacamole/extensions/
The directory in which extension .jar files should be placed. Tomcat must be restarted after extension .jar files are added or removed.
/etc/guacamole/lib/
The directory in which library .jar files required by installed extensions should be placed. Libraries within this directory will be available within the classpath for all extensions.
Note that support is not provided for custom extensions with the following exceptions:
Applying custom branding
Custom branding is applied through branding extensions, such as the branding extensions we provide on request as part of a Keeper Connection Manager subscription. If you have a custom branding extension and wish to apply that branding to your deployment of Keeper Connection Manager, you must:
Remove the symbolic link to the default Keeper Connection Manager branding, located at
/etc/guacamole/extensions/_kcm-branding.jar. Thekcm-guacamolepackage considers the existence/absence of this link to be an aspect of configuration and is designed to allow this symbolic link to be removed. If using the keeper/guacamole Docker image, this can also be accomplished by setting theUSE_DEFAULT_BRANDINGenvironment variable to "N".Copy the extension's .jar file to
/etc/guacamole/extensions/.Restart Tomcat
You may need to clear cache within browsers that have already visited your deployment.
Custom Branding
Customization of the Keeper Connection Manager user interface
Keeper Connection Manager supports customization of the front-end user interface CSS and injection of custom Javascript. In this guide, we will demonstrate how to modify the web application to display customized branding and execute custom Javascript code.
Overview
Keeper Connection Manager provides the ability to develop "Extensions" which can add custom enhancements to the overall platform. This page covers a basic example which can be easily modified for branding and UI changes.
Extensions to Keeper Connection Manager can:
Provide alternative authentication methods and sources of connection/user data.
Provide event listeners that will be notified as Guacamole performs tasks such as authentication and tunnel connection.
Theme or brand the user interface through additional CSS files and static resources.
Extend KCM's JavaScript code by providing JavaScript that will be loaded automatically.
Add additional display languages, or alter the translation strings of existing languages.
Extension format
KCM extensions are standard Java .jar files (this is essentially a .zip file) which contain all classes and resources required by the extension, as well as the KCM extension manifest. There is no set structure to an extension except that the manifest must be in the root of the archive. Java classes and packages, if any, will be read from the .jar relative to the root, as well.
Example Branding Extension
Modifying your existing KCM installation with custom branding is easy, please follow the below steps as an example.
(1) On the instance running Keeper Connection Manager or your workstation, retrieve the example repository or download as a zip file. Example:
git clone https://github.com/Keeper-Security/kcm-branding.git
cd kcm-branding(2) Zip up the contents of the branding folder into a file called kcm-branding.jar. The name of the file is arbitrary, as long as it is a unique name. KCM will load any extension that is placed into the target folder.
zip -r kcm-branding.jar guac-manifest.json css/ html/ js/ resources/ translations/(3) Copy the file into the /etc/kcm-setup folder or any path on the server.
sudo cp kcm-branding.jar /etc/kcm-setup/(4) In your docker-compose.yml file (e.g. /etc/kcm-setup/docker-compose.yml) there are 2 changes needed:
In the "guacamole" section add a reference to the Jar file which volume mounts the file directly from the host into the guacamole instance. The name of the file does not matter, as KCM will pull all jar files and process them.
Add the environment variable USE_DEFAULT_BRANDING with a value of "N".
Here's an example section:
guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
...
USE_DEFAULT_BRANDING: "N"
volumes:
...
- "/etc/kcm-setup/kcm-branding.jar:/etc/guacamole/extensions/kcm-branding.jar:ro"(5) Restart the container
sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgradeThat's it. After the service starts up, the branding on your KCM page will be all new, and there will be a popup alert when you load the page.
For iterating on more changes, simply edit the resources, zip up the file, copy the zip file to the target folder and restart your KCM container.
Technical Details
CSS
The CSS files referenced in guac-manifest.json are appended to the application CSS when loaded, therefore they will override the CSS properties.
Javascript
The Javascript files referenced in guac-manifest.json are appended to the application Javascript when loaded.
HTML modification
The existing HTML structure of KCM's interface can be modified through special "patch" HTML files declared by the html property in guac-manifest.json. These files are HTML fragments and are identical to any other HTML file except that they contain KCM-specific meta tags that instruct KCM to modify its own HTML in a particular way. Each meta tag takes the following form:
<meta name="NAME" content="SELECTOR">where SELECTOR is a CSS selector that matches the elements within the KCM interface that serve as a basis for the modification, and NAME is any one of the following defined modifications:
before
Inserts the specified HTML immediately before any element matching the CSS selector.
after
Inserts the specified HTML immediately after any element matching the CSS selector.
replace
Replaces any element matching the CSS selector with the specified HTML.
before-children
Inserts the specified HTML immediately before the first child (if any) of any element matching the CSS selector. If a matching element has no children, the HTML simply becomes the entire contents of the matching element.
after-children
Inserts the specified HTML immediately after the last child (if any) of any element matching the CSS selector. If a matching element has no children, the HTML simply becomes the entire contents of the matching element.
replace-children
Replaces the entire contents of any element matching the CSS selector with the specified HTML.
For example, to add a welcome message and link to some corporate privacy policy (a fairly common need), you would add an HTML file like the following:
<meta name="after" content=".login-ui .login-dialog">
<div class="welcome">
<h2>Welcome to our Keeper Connection Manager Demo</h2>
<p>
Please be sure to read our <a href="#">privacy
policy</a> before continuing.
</p>
</div>After the extension is installed and KCM is restarted, the "welcome" div and its contents will automatically be inserted directly below the login dialog (the only element that would match .login-ui .login-dialog) as if they were part of KCM's HTML in the first place.
Troubleshooting
If the page loads blank after applying the extension, check the logs. For example:
sudo ./kcm-setup.run logs -f guacamoleIf you see a null pointer exception, it's probably because one of the resources referenced in guac-manifest.json cannot be found in the .jar archive. Ensure that all files and folders are zipped up properly.
guacd.conf
Advanced configuration for the Guacd service
/etc/guacamole/guacd.conf is the configuration file for Apache Guacamole's proxy daemon, guacd. Editing this file is not normally required unless the circumstances of your deployment require internal communications to be encrypted (not just public-facing communication), the guacd service needs to listen on an external interface or non-standard port, or you need to increase logging verbosity to assist with debugging unexpected behavior.
The guacd.conf file is read only during service startup, and changes to guacd.conf will take effect only after restarting the guacd service.
Organization and general syntax
The guacd.conf file is organized within three distinct sections, each section having special meaning to guacd and containing only parameters specific to that section:
"server" - Parameters for configuring the hostname/address and port used by guacd.
"daemon" - Parameters for configuring the behavior of the guacd daemon, in particular logging level.
"ssl" - Parameters for configuring SSL/TLS encryption of the internal communication between the web application and guacd.
The beginning of each section is denoted with a section name in brackets, and each section ends implicitly with the beginning of a new section, or at the end of the file.
Parameters names and values
Parameters within sections are written as a parameter name, followed by an equals sign, followed by the parameter value, all on one line.
name = valueIf special characters need to be placed within a parameter value, such as whitespace, #, ", or \, the entire value must be enclosed in double quotes, and each occurrence of " or \ within the value must be escaped with backslashes:
name = "quoted # value \\ with \" special characters"Comments
Comments may be placed anywhere, including at the end of a parameter, and consist of arbitrary text following a # symbol until end-of-line:
# Arbitrary comment
name = value # Another arbitrary commentServer parameters
The parameters within the "server" section define the hostname/address and port that the guacd service should listen on. By default, the guacd service will listen at port 4822 on localhost, and thus will accept connections from a local instance of Guacamole only. If these values are changed, the Guacamole web application will need to be reconfigured to match by editing /etc/guacamole/guacamole.properties.
bind_host
localhost
The hostname or IP address that the guacd service should listen on.
bind_port
4822
The TCP port that the guacd service should listen on.
Daemon parameters
The parameters within the "daemon" section control how guacd operates as a daemon, in particular the level at which messages should be logged. Greater logging verbosity may be desired if unexpected behavior is encountered.
log_level
info
The log level that guacd should use when logging messages. In order of increasing verbosity, possible values are:
error
warning
info
debug
SSL/TLS parameters
guacd can be configured to communicate with the web application using SSL/TLS. If a certificate and key are specified, guacd will require SSL/TLS for all connections from the web application, and the web application will need to be reconfigured to match by editing /etc/guacamole/guacamole.properties. If the certificate cannot be verified by Java against well-known CA certificates, the certificate will also need to be added to Java's truststore.
By default, internal communication between guacd and the web application is not encrypted.
server_certificate
N/A
The full, absolute path to the PEM certificate that guacd should use to communicate with the web application.
server_key
N/A
The full, absolute path to the PEM private key that guacd should use to communicate with the web application.
guacamole.properties
Advanced configuration properties within guacamole.properties
The guacamole.properties file, located within /etc/guacamole, is Guacamole’s main configuration file. Keeper Connection Manager provides a thoroughly-commented version of this configuration file, including example properties organized into logical sections with accompanying documentation.
TCP connection information for guacd
The hostname and port of the machine hosting the guacd service, as well as whether that guacd service has been configured for SSL/TLS. By default, Guacamole will connect to guacd at port 4822 on localhost, and will not use SSL/TLS to do so.
guacd-hostname
localhost
The hostname of the machine hosting the guacd service.
guacd-port
4822
The port used by the guacd service.
guacd-ssl
false
Whether the guacd service has been configured for SSL/TLS.
Guacamole user session timeout
The amount of time, in minutes, a Guacamole session may remain valid despite being inactive. By default, Guacamole sessions remain valid for 60 minutes.
api-session-timeout
60
The amount of time, in minutes, a Guacamole session may remain valid despite being inactive.
This setting affects Guacamole sessions only, not remote desktop sessions. To enforce limits on the duration of remote desktop sessions, you must change the relevant setting within your remote desktop server, such as the session time limit GPOs provided by the Windows RDP server. Guacamole considers a connected remote desktop session to be user activity, and does not attempt to define what constitutes an idle but connected remote desktop session.
HTTP request size limits
It is unusual to need to change this setting:
File transfers within a remote desktop session are not affected by this limit.
Requests unrelated to file transfer should normally be well beneath the default limit (2 MB).
If you find yourself considering changing this property value, first investigate whether there may be any external factors causing the problem you're seeing, such as a reverse proxy, firewall, or browser extension. It is more common that the settings of the reverse proxy providing SSL termination need to be adjusted, and that no change needs to be made to Guacamole's request size limits whatsoever.
The maximum number of bytes to accept within the entity body of any particular HTTP request to Guacamole's internal REST API, including authentication requests. By default, HTTP requests made against the Guacamole web application are limited to 2 MB, excluding requests related to file transfer for a remote desktop session.
api-max-request-size
2097152
The maximum number of bytes to accept within the entity body of any particular HTTP request to the REST API, including authentication requests. This limit does not apply to files transferred within a remote desktop session. Specifying 0 disables request size limitations.
If setting this property intending to remove or lessen limitations on request sizes, be sure to check the settings of any reverse proxy providing SSL termination. Your reverse proxy may impose its own default limitations that will need to be overridden. For example, Nginx imposes a default limit of 1 MB per request.
Restricting available languages
If you have developed your own branding extension that overrides Guacamole's translation strings only for a subset of Guacamole's supported languages, you can force Guacamole to reduce the set of supported languages to only those languages you have modified. This is only necessary if you have developed your own branding. Branding extensions provided by Keeper Connection Manager as part of a Keeper Connection Manager subscription will update all supported languages.
allowed-languages
A comma-separated list of language keys for Guacamole's display language. If specified, only the listed languages will be made available to the user, and only the listed languages will be selected from automatically based on the user's browser's preferred language. By default, all defined languages will be available.
For example, to restrict Guacamole to only English and German, specify:
allowed-languages: en, deAs English is the fallback language, used whenever a translation key is missing from the chosen language, English should only be omitted from this list if you are absolutely positive that no strings are missing from your custom translations.
Extension-specific properties
In addition to the standard properties accepted by the web application, extensions may read additional properties which are specific to their own configuration needs. The guacamole.properties file included with Keeper Connection Manager contains comments which cleanly group configuration into distinct sections for each supported extension, along with example properties and documentation.
SAML 2.0 Authentication Configuration Properties
Advanced configuration properties for SAML 2.0 SSO
SAML 2.0 Configuration Properties
saml-idp-metadata-url
The URI of the XML metadata file that from the SAML Identity Provider that contains all of the information the SAML extension needs in order to know how to authenticate with the IdP. This URI can either be a remote server (e.g. https://) or a local file on the filesystem (e.g. file://). Often the metadata file contains most of the required properties for SAML authentication and the other parameters are not required.
saml-idp-url
The base URL of the SAML IdP. This is the URL that the SAML authentication extension will use to redirect when requesting SAML authentication. If the saml-idp-metadata-url property is provided, this parameter will be ignored. If the metadata file is not provided this property is required.
saml-entity-id
The entity ID of the Keeper Connection Manager SAML client, which is generally the URL of the Keeper Connection Manager server, but is not required to be so. This property is required if either the saml-idp-metadata-url property is not specified, or if the provided metadata file does not contain the SAML SP Entity ID for the Keeper Connection Manager Client.
saml-callback-url
The URL that the IdP will use once authentication has succeeded to return to the Keeper Connection Manager web application and provide the authentication details to the SAML extension. The SAML extension currently only supports callback as a POST operation to this callback URL. This property is required.
saml-strict
Require strict security checks during SAML logins. This will insure that valid certificates are present for all interactions with SAML servers and fail SAML authentication if security restrictions are violated. This property is optional, and will default to true, requiring strict security checks. This property should only be set to false in non-production environments during testing of SAML authentication.
saml-debug
Enable additional logging within the supporting SAML library that can assist in tracking down issues during SAML logins. This property is optional, and will default to false (no debugging).
saml-compress-request
Enable compression of the HTTP requests sent to the SAML IdP. This property is optional and will default to true (compression enabled).
saml-compress-response
Request that the SAML response returned by the IdP be compressed. This property is optional and will default to "true" (compression will be requested).
saml-group-attribute
The name of the attribute provided by the SAML IdP that contains group membership of the user. These groups will be parsed and used to map group membership of the user logging in, which can be used for permissions management within the Keeper Connection Manager Client, particularly when layered with other authentication modules. This property is optional, and defaults to “groups”.
saml-private-key-path
Path to a private key for use with connecting to an ID Provider which is configured to expect signed requests
saml-x509-cert-path
Path to a certificate used to authenticate to an ID Provider which is configured to expect signed requests
Controlling Login Behavior
Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:
If the SSO extension has priority:
Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.
If a non-SSO extension has priority:
Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.
The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority property within guacamole.properties.
Automatically redirecting all unauthenticated users
To ensure users are redirected to the SAML identity provider immediately (without a Keeper Connection Manager login screen), ensure the SAML extension has priority over all others:
extension-priority: samlPresenting unauthenticated users with a login screen
To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with SAML, ensure the SAML extension does not have priority:
extension-priority: *, samlOpenID Connect Configuration Properties
Advanced configuration properties for OpenID Connect Auth
OpenID Connect Configuration Properties
openid-authorization-endpoint
The authorization endpoint (URI) of the OpenID service.
This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the authorization_endpoint property of the JSON file hosted at https://identity-provider/.well-known/openid-configuration, where https://identity-provider is the base URL of the identity provider.
openid-jwks-endpoint
The endpoint (URI) of the JWKS service which defines how received ID tokens (JSON Web Tokens or JWTs) shall be validated.
This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the jwks_uri property of the JSON file hosted at https://identity-provider/.well-known/openid-configuration, where https://identity-provider is the base URL of the identity provider.
openid-issuer
The issuer to expect for all received ID tokens.
This value should be provided to you by the identity provider. For identity providers that implement OpenID Connect Discovery, this value can be retrieved from the issuer property of the JSON file hosted at https://identity-provider/.well-known/openid-configuration, where https://identity-provider is the base URL of the identity provider.
openid-client-id
The OpenID client ID which should be submitted to the OpenID service when necessary. This value is typically provided to you by the OpenID service when OpenID credentials are generated for your application.
openid-redirect-uri
The URI that should be submitted to the OpenID service such that they can redirect the authenticated user back to Keeper Connection Manager after the authentication process is complete. This must be the full URL that a user would enter into their browser to access Guacamole.
Additional optional properties are available to control how claims within received ID tokens are used to derive the user’s Keeper Connection Manager username, any associated groups, the OpenID scopes requested when user identities are confirmed, and to control the maximum amount of time allowed for various aspects of the conversation with the identity provider:
openid-username-claim-type
The claim type within any valid JWT that contains the authenticated user’s username. By default, the “email” claim type is used.
openid-groups-claim-type
The claim type within any valid JWT that contains the list of groups of which the authenticated user is a member. By default, the “groups” claim type is used.
openid-scope
The space-separated list of OpenID scopes to request. OpenID scopes determine the information returned within the OpenID token, and thus affect what values can be used as an authenticated user’s username. To be compliant with OpenID, at least “openid profile” must be requested. By default, “openid email profile” is used.
openid-allowed-clock-skew
The amount of clock skew tolerated for timestamp comparisons between the Keeper Connection Manger server and OpenID service clocks, in seconds. By default, clock skew of up to 30 seconds is tolerated.
openid-max-token-validity
The maximum amount of time that an OpenID token should remain valid, in minutes. By default, each OpenID token remains valid for 300 minutes (5 hours).
openid-max-nonce-validity
The maximum amount of time that a nonce generated by the Keeper Connection Manager server should remain valid, in minutes. As each OpenID request has a unique nonce value, this imposes an upper limit on the amount of time any particular OpenID request can result in successful authentication within Keeper Connection Manager. By default, each generated nonce expires after 10 minutes.
Controlling Login Behavior
Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:
If the SSO extension has priority:
Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.
If a non-SSO extension has priority:
Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.
The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority property within guacamole.properties.
Automatically redirecting all unauthenticated users
To ensure users are redirected to the OpenID identity provider immediately (without a Keeper Connection Manager login screen), ensure the OpenID extension has priority over all others:
extension-priority: openidPresenting unauthenticated users with a login screen
To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with OpenID, ensure the OpenID extension does not have priority:
extension-priority: *, openidDuo Two-Factor Authentication Configuration Properties
Advanced configuration properties for Duo 2FA
Duo application integration details
The API hostname, integration key, and secret key are provided for you by Duo when you registered Guacamole within Duo's "Admin" panel. Each of these values is required and is generated by Duo.
duo-api-hostname
The hostname of the Duo API endpoint to be used to verify user identities, generated by Duo when you registered Guacamole within Duo's "Admin" panel. This value can be found within the application details in the "API hostname" field.
duo-integration-key
The integration key provided for Guacamole by Duo when you registered Guacamole within Duo's "Admin" panel. This value can be found within the application details in the "Integration key" field.
duo-secret-key
The secret key provided for Guacamole by Duo when you registered Guacamole within Duo's "Admin" panel. This value can be found within the application details in the "Secret key" field.
Duo application key
An arbitrary and random key must be provided for communicating with the Duo service. This key MUST be manually generated and MUST BE AT LEAST 40 CHARACTERS.
duo-application-key
The arbitrary, random key to use when communicating with the Duo service.
Any random value containing at least 40 characters will suffice. To quickly grab 40 random characters from /dev/random:
$ tr -dc 'a-zA-Z0-9' < /dev/random | head -c40; echo
xqZKJODwg7ouwxdqU9hvuaWhE6lQFspijY0ofg8I
$Encrypted JSON Configuration Properties
Advanced configuration properties for Encrypted JSON Auth
Shared JSON secret key
A shared secret key is used by systems generating JSON data to encrypt and sign the JSON, and by the Guacamole server to verify and decrypt received data. This key must be 128 bits, specified with 32 hexadecimal digits.
json-secret-key
The 128-bit secret key that will be used to encrypt and sign JSON sent to Guacamole for authentication, formatted as 32 hexadecimal digits. Received JSON will not be accepted unless it has been encrypted and signed using this key.
This key can be essentially anything as long as it is unpredictable. An easy way of generating such a key is to echo a passphrase through the "md5sum" utility. This is the technique OpenSSL itself uses to generate 128-bit keys from passphrases. For example:
$ echo -n "ThisIsATest" | md5sum
4c0b569e4c96df157eee1b65dd0e4d41 -
$Source network restrictions
By default, received encrypted JSON will be accepted as long as it is valid and properly signed with the secret key. This can be further restricted to accept encrypted JSON only from machines which match a comma-separated list of trusted IP addresses and/or CIDR subnets.
json-trusted-networks
A comma-separated list of IP addresses and/or CIDR subnets which should be allowed to authenticate using encrypted JSON. By default, encrypted JSON is accepted without restriction from any address or subnet.
LDAP Configuration Properties
Advanced configuration properties for LDAP Authentication
TCP connection information
The TCP connection details of the LDAP server, as well as whether encryption should be used.
ldap-hostname
hostname
localhost
The hostname/address of the LDAP server.
ldap-port
port
389, or 636 for LDAPS
The TCP port that the LDAP server is listening on.
ldap-encryption-method
encryption-method
none
The encryption method to use when communicating with the LDAP server. Valid encryption methods are:
none(for unencrypted LDAP)ssl(for LDAP over SSL/TLS, also known as LDAPS)starttls(for STARTTLS)
LDAP user / user DN description
The base DN of all Guacamole users within the LDAP directory, and the attribute which contains each user's username. If the username attribute is not part of the DN, a search DN will need to be provided, as well.
ldap-user-base-dn
user-base-dn
N/A
The base DN beneath which all relevant LDAP users may be found. If not using a search DN, this DN must be the common portion of the DN shared by all users to which the username attribute can be added.
ldap-username-attribute
username-attribute
uid
The attribute which contains the user's username. For OpenLDAP, the default value of "uid" is usually correct. For Active Directory, the correct value is typically "sAMAccountName", and a search DN will be needed due to indirect mapping of the username.
LDAP user search DN
The DN and password of the user to bind as when searching for the DN of each user attempting to log in. If omitted, the DN of each user will be derived directly using the user base DN and username attribute.
ldap-search-bind-dn
search-bind-dn
The DN of the user that Guacamole should bind as when attempting to resolve the DN of an authenticating user (indirect username mapping). If omitted, the DN of each user will be derived directly from the base DN and username attribute. Note that the permissions associated with this account do not affect whether a user can see objects within the LDAP directory. Users, connections, etc. will only be visible to LDAP users if those users are granted permission to see those objects within LDAP.
ldap-search-bind-password
search-bind-password
The password that should be provided when Guacamole binds with the given search DN in order to resolve the DN of an authenticating user.
LDAP group / group DN description
The base DN of all Guacamole user groups within the LDAP directory, and the attribute which contains each group's name. If storing connection information within LDAP, the provided base DN must also contain any groups that may be referenced within "guacConfigGroup" objects using the "seeAlso" attribute.
ldap-group-base-dn
group-base-dn
N/A
The base DN beneath which all relevant LDAP groups may be found. This tree will be searched using the user's own credentials to determine their group memberships upon login.
If storing connection information within LDAP, this must also be the base DN of the LDAP directory subtree that should be searched for "guacConfigGroup" memberships specified using the "seeAlso" attribute.
ldap-group-name-attribute
group-name-attribute
cn
The attribute which contains the group's name. For most LDAP servers, including Active Directory, the default value of "cn" is usually correct.
Base DN for Guacamole connections (guacConfigGroup)
The base DN for all Guacamole connections defined directly within the LDAP directory using "guacConfigGroup" objects. The LDAP schema files for "guacConfigGroup" objects can be found within /usr/share/guacamole-auth-ldap/schema in both LDIF and .schema format. Note that storing connections directly within the LDAP directory is optional. If connections will not be stored within the directory, this base DN should not be provided.
ldap-config-base-dn
config-base-dn
The base DN of the LDAP subtree that should be searched for connections stored directly within the directory ("guacConfigGroup" objects). If connections are not being stored within the LDAP directory (no schema changes have been applied), this property should not be specified.
LDAP search result limits
The maximum number of LDAP search results which can be returned by a single query. LDAP searches which exceed this limit will fail.
ldap-max-search-results
max-search-results
1000
The maximum number of LDAP search results to retrieve via a single query. By default, LDAP searches are limited to returning a maximum of 1000 entries.
LDAP user attributes
Arbitrary LDAP user attributes may be used to dynamically affect the behavior of connections based on the user accessing them. When a user authenticates with LDAP and subsequently accesses a particular Guacamole connection, the values of these attributes will be made available as parameter tokens and applied to the parameters of the connection. If the attribute has no value for the current user, then the corresponding token is not applied. If the attribute has multiple values, then the first value of the attribute is used.
These attributes must be configured for use as parameter tokens ahead of time by being explicitly listed within /etc/guacamole/guacamole.properties. By default, no LDAP user attributes are made available as parameter tokens.
ldap-user-attributes
user-attributes
The attribute or attributes to retrieve from the LDAP directory for users that authenticate using LDAP, separated by commas. If specified, the attributes listed here are retrieved from each authenticated user and dynamically applied to the parameters of that user's connections as parameter tokens with the prefix "LDAP_".
When converting an LDAP attribute name into a parameter token name, the name of the attribute is transformed into uppercase with each word separated by underscores, a naming convention referred to as "uppercase with underscores" or "screaming snake case". For example:
lowercase-with-dashes
${LDAP_LOWERCASE_WITH_DASHES}
CamelCase
${LDAP_CAMEL_CASE}
headlessCamelCase
${LDAP_HEADLESS_CAMEL_CASE}
lettersAndNumbers1234
${LDAP_LETTERS_AND_NUMBERS_1234}
aRANDOM_mixOf-3NAMINGConventions
${LDAP_A_RANDOM_MIX_OF_3_NAMING_CONVENTIONS}
Custom LDAP search filters
The search filter which should be used to retrieve lists of users or groups from the LDAP directory. By default, a filter which matches all objects is used, and the only restriction is given through the relevant base DN. If you need to narrow the lists of users or groups further, the default filter can be overridden.
If overriding a search filter, be sure that the filter is a valid LDAP filter. In particular, an LDAP filter must be enclosed in a matching pair of parenthesis. If unsure whether your filter is valid, or if seeing unexpected results, it can be helpful to verify your filter against your LDAP server using a command-line utility like "ldapsearch".
ldap-user-search-filter
user-search-filter
(objectClass=*)
The search filter which should be used to retrieve the list of users from the LDAP directory. If a search DN is used (indirect user mapping), this filter will also restrict the users that can log into Guacamole.
ldap-group-search-filter
group-search-filter
(objectClass=*)
The search filter which should be used to retrieve the list of groups that may be used by other extensions to define permissions.
LDAP aliases and referrals
Whether (and how) Guacamole should follow LDAP aliases or referrals when encountered during an LDAP query. By default, Guacamole will not dereference aliases and will not follow referrals.
ldap-dereference-aliases
dereference-aliases
never
The method that Guacamole should use to dereference LDAP aliases, if at all. Legal alias dereferencing modes are:
never(do not dereference aliases at all)searching(dereference aliases only after the search base has been found)finding(dereference aliases only when finding the search base)always(dereference aliases in all cases)
ldap-follow-referrals
follow-referrals
false
If set to "true", referrals received from the LDAP directory will be automatically followed. By default, referrals are not followed.
ldap-max-referral-hops
max-referral-hops
5
The maximum number of referrals to follow before aborting an LDAP query. This property only has an effect if LDAP referral following is enabled. If referral following is enabled, the following performed is limited to 5 hops by default.
MySQL / MariaDB Configuration Properties
Advanced configuration properties for MySQL
Minimum password length and complexity
Minimum/maximum password age
Password reuse prevention
Database concurrent connection limits
General connection concurrency limits
Per-user concurrency limits
Absolute concurrency limits
TCP connection information
The TCP connection details for the MySQL / MariaDB database.
mysql-hostname
localhost
The hostname of the database server.
mysql-port
3306
The port of the MySQL or MariaDB service running on the database server.
Database name and credentials
The name of the database to use, as well as the credentials to use when connecting to the database. These properties are required if one of the database authentication extensions will be used.
mysql-database
The name of the database that Guacamole should issue queries against.
mysql-username
The username of the user that Guacamole should use to connect to the database.
mysql-password
The password Guacamole should provide when authenticating with the database.
Database password policies
Restrictions that should be applied to all database users with respect to password complexity, length, change frequency, and reuse.
These properties do not affect users defined outside the database.
Minimum password length and complexity
mysql-user-password-min-length
0
The minimum length of each password, in characters. If specified, users will not be able to change their passwords to values that are not at least this length. By default, no minimum length is enforced. Empty passwords are never allowed.
mysql-user-password-require-multiple-case
false
If set to "true", require that all passwords contain at least one uppercase character and one lowercase character. By default, passwords are not required to contain mixed case.
mysql-user-password-require-symbol
false
If set to "true", require that all passwords contain at least one symbol, where a "symbol" is any non-alphanumeric character. By default, passwords are not required to contain symbols.
mysql-user-password-require-digit
false
If set to "true", require that all passwords contain at least one digit, where a "digit" is any numeric character. By default, passwords are not required to contain digits.
mysql-user-password-prohibit-username
false
If set to "true", prohibit passwords from containing the user's own username, regardless of case. By default, use of the user's own username within their password is not prevented.
Minimum/maximum password age
mysql-user-password-min-age
The minimum number of days that must elapse between password changes (preventing users from changing passwords too frequency and defeating password reuse protections). By default, frequency of password changes is not restricted.
mysql-user-password-max-age
The maximum number of days that may elapse before users are required to change their passwords. By default, users passwords do not automatically expire.
Password reuse prevention
mysql-user-password-history-size
The number of past passwords that should be remembered for each user. If specified, users will be prevented from reusing any of these passwords. By default, reuse of past passwords is not prevented.
Database concurrent connection limits
Concurrent usage restrictions that should be enforced by default across all connections. With the exception the absolute concurrency limit, each of these restrictions may be overridden by the administrator on a per-connection basis by editing the connection.
General connection concurrency limits
mysql-default-max-connections
0
The maximum number of concurrent connections to allow to any particular connection, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connections.
mysql-default-max-group-connections
0
The maximum number of concurrent connections to allow to any particular balancing connection group, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connection groups.
Per-user concurrency limits
mysql-default-max-connections-per-user
0
The maximum number of concurrent connections to allow to any individual user to establish to a connection, where "0" represents unlimited. By default, no per-user concurrency limits are enforced on connections.
mysql-default-max-group-connections-per-user
1
The maximum number of concurrent connections to allow to any individual user to establish to a balancing connection group, where "0" represents unlimited. By default, no each user is limited to a single connection for each balancing connection group, to avoid allowing any one user to exhaust the available connections within that group..
Absolute concurrency limits
mysql-absolute-max-connections
0
The absolute maximum number of concurrent connections to allow to the Guacamole server as a whole, regardless of which users are establishing those connections and which connections or groups are being accessed, where "0" represents unlimited. By default, no absolute concurrent restrictions are enforced.
Database user account requirements
Whether authentication via other extensions is allowed for users that do not exist within the MySQL / MariaDB database. If set to "true", authentication attempts will be denied unless the authenticated user has been defined within the database.
mysql-user-required
false
If set to "true", require that all successful authentication attempts be associated with a user defined within MySQL. If a user authentications successfully via another mechanism (such as LDAP), that attempt will still be denied if no corresponding MySQL user exists. By default, successful authentication attempts will be considered successful regardless of whether an account for that user exists within MySQL.
PostgreSQL Configuration Properties
Advanced configuration properties for PostgreSQL
Minimum password length and complexity
Minimum/maximum password age
Password reuse prevention
Database concurrent connection limits
General connection concurrency limits
Per-user concurrency limits
Absolute concurrency limits
TCP connection information
The TCP connection details for the PostgreSQL database.
postgresql-hostname
localhost
The hostname of the database server.
postgresql-port
5432
The port of the PostgreSQL service running on the database server.
Database name and credentials
The name of the database to use, as well as the credentials to use when connecting to the database. These properties are required if one of the database authentication extensions will be used.
postgresql-database
The name of the database that Guacamole should issue queries against.
postgresql-username
The username of the user that Guacamole should use to connect to the database.
postgresql-password
The password Guacamole should provide when authenticating with the database.
Database password policies
Restrictions that should be applied to all database users with respect to password complexity, length, change frequency, and reuse.
These properties do not affect users defined outside the database.
Minimum password length and complexity
postgresql-user-password-min-length
0
The minimum length of each password, in characters. If specified, users will not be able to change their passwords to values that are not at least this length. By default, no minimum length is enforced. Empty passwords are never allowed.
postgresql-user-password-require-multiple-case
false
If set to "true", require that all passwords contain at least one uppercase character and one lowercase character. By default, passwords are not required to contain mixed case.
postgresql-user-password-require-symbol
false
If set to "true", require that all passwords contain at least one symbol, where a "symbol" is any non-alphanumeric character. By default, passwords are not required to contain symbols.
postgresql-user-password-require-digit
false
If set to "true", require that all passwords contain at least one digit, where a "digit" is any numeric character. By default, passwords are not required to contain digits.
postgresql-user-password-prohibit-username
false
If set to "true", prohibit passwords from containing the user's own username, regardless of case. By default, use of the user's own username within their password is not prevented.
Minimum/maximum password age
postgresql-user-password-min-age
The minimum number of days that must elapse between password changes (preventing users from changing passwords too frequency and defeating password reuse protections). By default, frequency of password changes is not restricted.
postgresql-user-password-max-age
The maximum number of days that may elapse before users are required to change their passwords. By default, users passwords do not automatically expire.
Password reuse prevention
postgresql-user-password-history-size
The number of past passwords that should be remembered for each user. If specified, users will be prevented from reusing any of these passwords. By default, reuse of past passwords is not prevented.
Database concurrent connection limits
Concurrent usage restrictions that should be enforced by default across all connections. With the exception the absolute concurrency limit, each of these restrictions may be overridden by the administrator on a per-connection basis by editing the connection.
General connection concurrency limits
postgresql-default-max-connections
0
The maximum number of concurrent connections to allow to any particular connection, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connections.
postgresql-default-max-group-connections
0
The maximum number of concurrent connections to allow to any particular balancing connection group, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connection groups.
Per-user concurrency limits
postgresql-default-max-connections-per-user
0
The maximum number of concurrent connections to allow to any individual user to establish to a connection, where "0" represents unlimited. By default, no per-user concurrency limits are enforced on connections.
postgresql-default-max-group-connections-per-user
1
The maximum number of concurrent connections to allow to any individual user to establish to a balancing connection group, where "0" represents unlimited. By default, no each user is limited to a single connection for each balancing connection group, to avoid allowing any one user to exhaust the available connections within that group..
Absolute concurrency limits
postgresql-absolute-max-connections
0
The absolute maximum number of concurrent connections to allow to the Guacamole server as a whole, regardless of which users are establishing those connections and which connections or groups are being accessed, where "0" represents unlimited. By default, no absolute concurrent restrictions are enforced.
Database user account requirements
Whether authentication via other extensions is allowed for users that do not exist within the PostgreSQL database. If set to "true", authentication attempts will be denied unless the authenticated user has been defined within the database.
postgresql-user-required
false
If set to "true", require that all successful authentication attempts be associated with a user defined within PostgreSQL. If a user authentications successfully via another mechanism (such as LDAP), that attempt will still be denied if no corresponding PostgreSQL user exists. By default, successful authentication attempts will be considered successful regardless of whether an account for that user exists within PostgreSQL.
SQL Server Configuration Properties
Advanced configuration properties for SQL Server
Minimum password length and complexity
Minimum/maximum password age
Password reuse prevention
Database concurrent connection limits
General connection concurrency limits
Per-user concurrency limits
Absolute concurrency limits
TCP connection information
The TCP connection details for the SQL Server database.
sqlserver-hostname
localhost
The hostname of the database server.
sqlserver-port
1433
The port of the SQL Server service running on the database server.
Database name and credentials
The name of the database to use, as well as the credentials to use when connecting to the database. These properties are required if one of the database authentication extensions will be used.
sqlserver-database
The name of the database that Guacamole should issue queries against.
sqlserver-username
The username of the user that Guacamole should use to connect to the database.
sqlserver-password
The password Guacamole should provide when authenticating with the database.
Database password policies
Restrictions that should be applied to all database users with respect to password complexity, length, change frequency, and reuse.
These properties do not affect users defined outside the database.
Minimum password length and complexity
sqlserver-user-password-min-length
0
The minimum length of each password, in characters. If specified, users will not be able to change their passwords to values that are not at least this length. By default, no minimum length is enforced. Empty passwords are never allowed.
sqlserver-user-password-require-multiple-case
false
If set to "true", require that all passwords contain at least one uppercase character and one lowercase character. By default, passwords are not required to contain mixed case.
sqlserver-user-password-require-symbol
false
If set to "true", require that all passwords contain at least one symbol, where a "symbol" is any non-alphanumeric character. By default, passwords are not required to contain symbols.
sqlserver-user-password-require-digit
false
If set to "true", require that all passwords contain at least one digit, where a "digit" is any numeric character. By default, passwords are not required to contain digits.
sqlserver-user-password-prohibit-username
false
If set to "true", prohibit passwords from containing the user's own username, regardless of case. By default, use of the user's own username within their password is not prevented.
Minimum/maximum password age
sqlserver-user-password-min-age
The minimum number of days that must elapse between password changes (preventing users from changing passwords too frequency and defeating password reuse protections). By default, frequency of password changes is not restricted.
sqlserver-user-password-max-age
The maximum number of days that may elapse before users are required to change their passwords. By default, users passwords do not automatically expire.
Password reuse prevention
sqlserver-user-password-history-size
The number of past passwords that should be remembered for each user. If specified, users will be prevented from reusing any of these passwords. By default, reuse of past passwords is not prevented.
Database concurrent connection limits
Concurrent usage restrictions that should be enforced by default across all connections. With the exception the absolute concurrency limit, each of these restrictions may be overridden by the administrator on a per-connection basis by editing the connection.
General connection concurrency limits
sqlserver-default-max-connections
0
The maximum number of concurrent connections to allow to any particular connection, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connections.
sqlserver-default-max-group-connections
0
The maximum number of concurrent connections to allow to any particular balancing connection group, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connection groups.
Per-user concurrency limits
sqlserver-default-max-connections-per-user
0
The maximum number of concurrent connections to allow to any individual user to establish to a connection, where "0" represents unlimited. By default, no per-user concurrency limits are enforced on connections.
sqlserver-default-max-group-connections-per-user
1
The maximum number of concurrent connections to allow to any individual user to establish to a balancing connection group, where "0" represents unlimited. By default, no each user is limited to a single connection for each balancing connection group, to avoid allowing any one user to exhaust the available connections within that group..
Absolute concurrency limits
sqlserver-absolute-max-connections
0
The absolute maximum number of concurrent connections to allow to the Guacamole server as a whole, regardless of which users are establishing those connections and which connections or groups are being accessed, where "0" represents unlimited. By default, no absolute concurrent restrictions are enforced.
Database user account requirements
Whether authentication via other extensions is allowed for users that do not exist within the SQL Server database. If set to "true", authentication attempts will be denied unless the authenticated user has been defined within the database.
sqlserver-user-required
false
If set to "true", require that all successful authentication attempts be associated with a user defined within SQL Server. If a user authentications successfully via another mechanism (such as LDAP), that attempt will still be denied if no corresponding SQL Server user exists. By default, successful authentication attempts will be considered successful regardless of whether an account for that user exists within SQL Server.
TOTP Configuration Properties
Advanced configuration properties for TOTP 2FA
TOTP issuer details
A human readable name must be associated with generated keys such that the user enrolling their authentication device will be able to easily distinguish the code they should use for this application vs. the other applications that same authentication device may be used for. This value does not affect the key generated nor handling of received codes; it only serves as a reference for the user.
totp-issuer
Apache Guacamole
The human-readable name of the entity issuing user accounts.
TOTP code generation
Most authentication devices supporting TOTP use 6-digit codes, a code period of 30 seconds, and the SHA-1 hash algorithm. These values are used as the defaults for code generation. If your requirements differ, these default values may be overridden.
totp-digits
6
The number of digits which should be included in each generated code. TOTP allows for 6-, 7-, or 8-digit codes. Longer or shorter codes than this are not possible as they violate the TOTP standard.
totp-period
30
The duration that each generated code should remain valid, in seconds. The code generation period is given in positive integer seconds and may be any value, however the value should be long enough to allow the user a reasonable amount of time to enter their code. Their authentication device will generate a new code after this period elapses.
totp-mode
sha1
The hash algorithm that should be used to generate codes. Valid TOTP modes (hashes) are:
sha1sha256sha512
Before selecting a value which differs from the default (sha1), be sure to verify that your authentication devices support that hash.
UDS Enterprise Configuration Properties
UDS Enterprise deployment details
When leveraging Keeper Connection Manager to fulfill a request to remotely access a virtual machine, UDS Enterprise will generate and send a temporary access token to Keeper Connection Manager. This temporary access token defines the connection details of the machine being accessed and needs to be validated against UDS Enterprise for that access to be granted. In order to reach out to UDS Enterprise to perform this validation, Keeper Connection Manager needs to know the base URL of the UDS Enterprise deployment.
The URL provided need only be a URL that your Keeper Connection Manager server can use to reach your UDS Enterprise server. If UDS Enterprise is installed on the same private network or on the same server as Keeper Connection Manager, this can be an internal URL that uses a private IP address or domain name, and does not necessarily need to be the public URL that would be used to access UDS Enterprise over the internet.
uds-base-url
The base URL of the UDS Enterprise deployment that may leverage Keeper Connection Manager to provide remote access. Keeper Connection Manager will use this URL to contact UDS to authenticate and authorize connection requests.
Login Attempts Properties
As of KCM version 2.9.6, KCM can be configured to limit a user's ability to login after multiple consecutive failed login attempts. This blocks brute-force login attacks on KCM instances.
Use the following properties to change the login attempt settings
ban-max-invalid-attempts
The number of invalid attempts before a user is locked out
ban-address-duration
The amount of time in seconds a user is locked out for after hitting the invalid attempts limit
ban-max-addresses
The number of addresses that KCM will track to check for invalid attempts. Defaults to 10485760
Custom Extensions
Integrating Keeper Connection Manager with 3rd party software and applications
Extension API Overview
Keeper Connection Manager is designed to be integrated with third-party systems and applications using the Extension API, which allows arbitrary systems to serve as methods of authentication and as data sources.
The Extension API was used to implement the authentication mechanisms supported by Keeper Connection Manager and Apache Guacamole out-of-the-box. For Keeper Connection Manager 2.x, regardless of any updates, the extension API is compatible with upstream Apache Guacamole 1.0.0 through 1.3.0.
Documentation
JavaDoc for the Apache Guacamole 1.3.0 core API (referenced by parts of the extension API)
If you are not sure where to begin with integrating Keeper Connection Manager, or are having difficulties with your existing integration, consulting on integration is included with premium subscriptions.
Custom Docker Images
Creating custom Docker images based on Keeper Connection Manager packages
Overview
The main Keeper Connection Manager packages include default Docker entry points, allowing deployments of Keeper Connection Manager to be automated with Docker, even if your deployment is customized with your own branding, third-party authentication extensions, or organization-specific settings.
A simple Dockerfile can be created which accomplishes the following tasks:
Copy a
.repofile into/etc/yum.repos.d/so the Docker image build has access to the Keeper Connection Manager packages.Install any required packages for your use case.
Remove the
.repofile so your image doesn't contain your repository credentials.Apply any desired configuration (such as through a
guacamole.properties.dockerfile).Configure the environment as required for installing the Keeper Connection Manager packages used by the image (such as adding the
tomcatuser to any necessary groups or deployingguacamole.war).Start one of the provided Docker entrypoints.
The Keeper Connection Manager packages currently include three Docker entrypoints ready for use within custom images. Which entrypoint(s) you use will depend on whether you are creating separate images for Apache Guacamole and guacd vs. an all-in-one image which contains both:
Docker entrypoint which starts both the Guacamole web application and the guacd daemon. This entrypoint is part of the kcm package and additionally requires gettext to be installed.
Docker entrypoint which starts only the Guacamole web application. A separate container will be needed for guacd. This entrypoint is part of the kcm package and additionally requires gettext to be installed.
Docker entrypoint which starts only the guacd daemon. A separate container will be needed for the Guacamole web application. This entrypoint is part of the kcm package
Configuring Guacamole using guacamole.properties.docker
guacamole.properties.dockerThe entrypoint-combined.sh and entrypoint-guacamole.sh entrypoints will both check for the existence of an optional /etc/guacamole/guacamole.properties.docker file. If this file exists, it will be automatically filtered such that environment variables are substituted within the contents of the file. The filtered contents of this file will be written to /etc/guacamole/guacamole.properties, overwriting the original file, but omitting any properties which remain unset after filtering.
The filtering applied to guacamole.properties.docker leverages the envsubst utility provided by the gettext package. The gettext package must be installed within any Docker container intended to leverage guacamole.properties.docker.
For example, if an /etc/guacamole/guacamole.properties file exists within a Guacamole-only or combined image containing the following:
mysql-hostname: $DATABASE_HOSTNAME
mysql-database: guacamole_db
mysql-username: $DATABASE_USERNAME
mysql-password: $DATABASE_PASSWORD
ldap-hostname: $LDAP_HOSTNAME
ldap-port: $LDAP_PORTThe main guacamole.properties will be generated using this as a template, substituting the values of the DATABASE_HOSTNAME, DATABASE_USERNAME, DATABASE_PASSWORD, LDAP_HOSTNAME, and LDAP_PORT environment variables. If only the DATABASE variables are set, then properties which depend on other values will automatically be omitted:
mysql-hostname: localhost
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: some_passwordguacamole.properties.docker can thus be used to provide a completely custom set of configuration options. Your image need only support the options you specifically need.
Creating an all-in-one image using the combined entrypoint
An all-in-one Docker image for Guacamole contains both the Guacamole web application and guacd. An image which contains both Guacamole and guacd will require at least the following packages:
kcm-guacamole
kcm-guacd
tomcat
If using LDAP and/or one of the supported databases for authentication, the relevant packages for those authentication methods will also be installed:
kcm-guacamole-auth-duo
kcm-guacamole-auth-json
kcm-guacamole-auth-ldap
kcm-guacamole-auth-mysql
kcm-guacamole-auth-postgresql
kcm-guacamole-auth-sqlserver
kcm-guacamole-auth-totp
You must also install at least one package providing protocol support. The packages required depend only on the protocols you intend to support, which may well be all protocols supported by Guacamole:
kcm-libguac-client-rdp
kcm-libguac-client-ssh
kcm-libguac-client-telnet
kcm-libguac-client-vnc
If providing support for telnet, you will also need to configure your image to use the EPEL repository by installing the epel-release package. This package will need to be installed before the kcm-libguac-client-telnet package, as its dependencies will not be able to be satisfied without EPEL:
epel-release
If you will be using guacamole.properties.docker to provide configuration options that leverage environment variables, the gettext package is required
gettext
A combined Dockerfile which provides support for absolutely all protocols, uses MySQL for authentication, and leverages guacamole.properties.docker would look like the following:
# Build off CentOS 7
FROM centos:centos7
# Add the Keeper Connection Manager Enterprise repository
COPY kcm.repo /etc/yum.repos.d/
# Install Guacamole, Tomcat, and guacd
RUN yum install -y epel-release \
&& yum install -y \
gettext \
kcm \
kcm-guacamole-auth-jdbc-mysql \
kcm-guacd \
kcm-libguac-client-rdp \
kcm-libguac-client-ssh \
kcm-libguac-client-telnet \
kcm-libguac-client-vnc \
tomcat \
&& yum clean all \
&& rm /etc/yum.repos.d/kcm.repo
# Add Tomcat service user to the "guacamole" group
RUN usermod -aG guacamole tomcat
# Deploy the Guacamole web application under Tomcat
RUN ln -s /opt/keeper/share/guacamole/guacamole.war /var/lib/tomcat/webapps/ROOT.war
# Add template guacamole.properties which will be populated with environment
# variables during startup by the entrypoint script
COPY guacamole.properties.docker /etc/guacamole/
# Tomcat will be accessed via port 8080
EXPOSE 8080
# Use combined Tomcat+guacd entrypoint
ENTRYPOINT [ "/opt/keeper/share/guacamole/entrypoint-combined.sh" ]Creating a separate Guacamole image (without guacd)
A Docker image contains only the Guacamole web application will require at least the following packages:
kcm-guacamole
tomcat
If using LDAP and/or one of the supported databases for authentication, the relevant packages for those authentication methods will also be installed:
kcm-guacamole-auth-saml
kcm-guacamole-auth-openid
kcm-guacamole-auth-duo
kcm-guacamole-auth-json
kcm-guacamole-auth-ldap
kcm-guacamole-auth-mysql
kcm-guacamole-auth-postgresql
kcm-guacamole-auth-sqlserver
kcm-guacamole-auth-totp
If you will be using guacamole.properties.docker to provide configuration options that leverage environment variables, the gettext package is required
gettext
A Dockerfile which contains only the web application, uses MySQL for authentication, and which leverages guacamole.properties.docker would look like the following:
# Build off CentOS 7
FROM centos:centos7
# Add the Keeper Connection Manager repository
COPY kcm.repo /etc/yum.repos.d/
# Install Guacamole and Tomcat
RUN yum install -y \
gettext \
kcm \
kcm-guacamole-auth-jdbc-mysql \
tomcat \
&& yum clean all \
&& rm /etc/yum.repos.d/kcm.repo
# Add Tomcat service user to the "guacamole" group
RUN usermod -aG guacamole tomcat
# Deploy the Guacamole web application under Tomcat
RUN ln -s /opt/keeper/share/guacamole/guacamole.war /var/lib/tomcat/webapps/ROOT.war
# Add template guacamole.properties which will be populated with environment
# variables during startup by the entrypoint script
COPY guacamole.properties.docker /etc/guacamole/
# Tomcat will be accessed via port 8080
EXPOSE 8080
# Use Guacamole entrypoint
ENTRYPOINT [ "/opt/keeper/share/guacamole/entrypoint-guacamole.sh" ]Creating a separate guacd image (without Guacamole)
A Docker image which contains only guacd will require at least the kcm-guacd package:
kcm-guacd
You must also install at least one package providing protocol support. The packages required depend only on the protocols you intend to support, which may well be all protocols supported by Guacamole:
kcm-libguac-client-rdp
kcm-libguac-client-ssh
kcm-libguac-client-telnet
kcm-libguac-client-vnc
If providing support for telnet, you will also need to configure your image to use the EPEL repository by installing the epel-release package. This package will need to be installed before the kcm-libguac-client-telnet package, as its dependencies will not be able to be satisfied without EPEL:
epel-release
A Dockerfile which contains only guacd and provides support for absolutely all protocols would look like the following:
# Build off CentOS 7
FROM centos:centos7
# Add the Keeper Connection Manager repository
COPY kcm.repo /etc/yum.repos.d/
# Install guacd and protocol support
RUN yum install -y epel-release \
&& yum install -y \
kcm-guacd \
kcm-libguac-client-rdp \
kcm-libguac-client-ssh \
kcm-libguac-client-telnet \
kcm-libguac-client-vnc \
&& yum clean all \
&& rm /etc/yum.repos.d/kcm.repo
# guacd will be accessed via port 4822
EXPOSE 4822
# Use guacd entrypoint
ENTRYPOINT [ "/opt/keeper/share/guacd/entrypoint-guacd.sh" ]