someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-13 18:02:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update ACTIVE-DIRECTORY-HOW-TO.md

Browse source
This commit is contained in:
Itiligent 2024-06-14 16:36:08 +10:00
parent a30b024684
commit ef0243538b
1 changed files with 7 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
ACTIVE-DIRECTORY-HOW-TO.md
View file

@ -47,13 +47,13 @@ ldap-max-search-results:200
- **Important note on `mysql-auto-create-accounts:`** This line is optional and can be deleted if using Active Directory authentication without Guacamole's implementation of MFA. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole database at thier first Guacmaole logon with thier AD accout. Only if Gucamole's MFA feature is to be provisioned is a local Guacamole account required, and automating this step can aid MFA deployment. If you want to provision Guacamole MFA access to just a limited selection of Active Diretory users, you may remove this line and manually create the passwordless Guacamole database local account pairings as needed. [See below for more.](https://github.com/itiligent/Guacamole-Install/blob/main/ACTIVE-DIRECTORY-HOW-TO.md#busts_in_silhouette-manually-creating-and-configuring-new-guacamole-users-for-active-directory-authentication-with-mfa) - **Important note on `mysql-auto-create-accounts:`** This line is optional and can be deleted if using Active Directory authentication without Guacamole's implementation of MFA. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole database at thier first Guacmaole logon with thier AD accout. Only if Gucamole's MFA feature is to be provisioned is a local Guacamole account required, and automating this step can aid MFA deployment. If you want to provision Guacamole MFA access to just a limited selection of Active Diretory users, you may remove this line and manually create the passwordless Guacamole database local account pairings as needed. [See below for more.](https://github.com/itiligent/Guacamole-Install/blob/main/ACTIVE-DIRECTORY-HOW-TO.md#busts_in_silhouette-manually-creating-and-configuring-new-guacamole-users-for-active-directory-authentication-with-mfa)
#### If your AD has TLS implemented via a self signed certificate you must also apply the 5 steps below, else skip... For more info see [#18](https://github.com/itiligent/Guacamole-Install/issues/18) #### If your AD has TLS implemented via a self signed certificate you must also apply the extra TLS tasks A to E below, else skip to Step 4 ... For more info see [#18](https://github.com/itiligent/Guacamole-Install/issues/18)
1. Adjust this line in the above template for add-ldap-auth-guacamole.sh (Values can be none, ssl or stattls) TLS task A. Adjust this line in the above template for add-ldap-auth-guacamole.sh (Values can be none, ssl or stattls)
``` ```
ldap-encryption-method: starttls ldap-encryption-method: starttls
``` ```
2. Next, you must obtain your AD TLS cert. TLS task B. Next, you must obtain your AD TLS cert.
``` ```
openssl s_client -connect X.X.X.X:389 \ openssl s_client -connect X.X.X.X:389 \
-starttls ldap \ -starttls ldap \
@ -61,12 +61,12 @@ openssl s_client -connect X.X.X.X:389 \
openssl x509 -text | \ openssl x509 -text | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
``` ```
3. Copy the certificate contents from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste this into a file (e.g. adcert.pem as per below) TLS task C. Copy the certificate contents from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste this into a file (e.g. adcert.pem as per below)
``` ```
sudo nano /etc/ssl/certs/adcert.pem # then paste certificate output sudo nano /etc/ssl/certs/adcert.pem # then paste certificate output
``` ```
4. Now import the AD cert file into the Java keystore TLS task D. Now import the AD cert file into the Java keystore
``` ```
sudo keytool -importcert -alias adcert \ sudo keytool -importcert -alias adcert \
-file /etc/ssl/certs/adcert.pem \ -file /etc/ssl/certs/adcert.pem \
@ -74,9 +74,9 @@ sudo keytool -importcert -alias adcert \
-storepass changeit \ -storepass changeit \
-noprompt -noprompt
``` ```
5. Restart Apache Tomcat TLS task E. Restart Apache Tomcat
```` ````
systemctl restart tomcat9 TOMCAT=$(ls /etc/ | grep tomcat) && sudo systemctl restart ${TOMCAT}
```` ````
### :computer: **Step 4: Run the (now customised) LDAP configuration script** ### :computer: **Step 4: Run the (now customised) LDAP configuration script**