[
https://issues.apache.org/jira/browse/GUACAMOLE-785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16829307#comment-16829307
]
Paul McDonnell commented on GUACAMOLE-785:
------------------------------------------
Thanks for the help Nick. Looks like the issue was that the second ldap search
was halting after returning a number of ldap results. I've subsequently changed
the filter to return only a smaller number members of an AD group that are
allowed to login to this system. We can close off this issue.
> TOTP causing LDAP to change its query
> -------------------------------------
>
> Key: GUACAMOLE-785
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-785
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap, guacamole-auth-totp
> Affects Versions: 1.0.0
> Reporter: Paul McDonnell
> Priority: Major
>
> I've got OTP operational on my set up, all worked as expected. I then went to
> enable LDAP but kept getting an error "Unable to query list of objects from
> LDAP directory". After some more debugging, I think the issue is that the
> original search that LDAP does is
> Searching "OU=people,dc=LOCAL,dc=mycompany,dc=COM" for objects matching
> "(&(objectClass=user)(!(objectCategory=computer))(samAccountName=jbloggs))".
> Then after TOTP code is typed in, it then searches for
> Searching "OU=people,dc=LOCAL,dc=mycompany,dc=COM" for objects matching
> "(&(objectClass=user)(!(objectCategory=computer))(samAccountName=*))".
>
> It replaces the samaccountname=jbloggs with samaccountname=*. I confirmed
> this by changing the ldap-user-search-filter: (samAccountname=jbloggs) and I
> was then able to login as jbloggs (but not as anyone else).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
