[
https://issues.apache.org/jira/browse/GUACAMOLE-1213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17232816#comment-17232816
]
Todd Gould commented on GUACAMOLE-1213:
---------------------------------------
I have resolved this issue. To do so, I had to follow the following (less than
intuitive steps) that I could not find in the guacamole documentation - perhaps
I missed them somehow?
a) deploy guacamole docker image WITHOUT TOTP
b) login as guacadmin
c) create local user within guac for LDAP user
d) login to guac with LDAP (enabling ability to see AD users)
e) within guacamole, set setting for LDAP user to include 'change own password'
f) redeploy guacamole docker image with TOTP
g) remember LDAP users are case sensitive
LDAP users can now successfully login to guacamole and associate with MFA.
Steps a) - e) were the key. If you first deploy guacamole with TOTP before
changing the user's 'change own password' setting within guacamole, you will
encounter errors such as I did. FYI, I was NOT able to even see the LDAP users
at first with TOTP deployed and logging in as guacadmin. I needed to revert to
an image that did not have TOTP and then create a local user to match LDAP user.
> TOTP PSQLException following successful LDAP authentication
> -----------------------------------------------------------
>
> Key: GUACAMOLE-1213
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1213
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-postgresql, guacamole-auth-ldap,
> guacamole-auth-totp
> Affects Versions: 1.2.0
> Reporter: Todd Gould
> Priority: Major
>
> I have successfully deployed both guacd and guacamole via docker image to AWS
> ECS. I have added the TOTP extension to the image. Additionally, I have
> successfully configured guacamole to use LDAPs to integrate with a Microsoft
> Active Directory and a Postgres database.
> Background:
> I can see via in the guacamole logs, that a login attempt is successfully
> authenticated by the configured LDAPs.
> {code:none}
> 15:25:40.889 [http-nio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService -
> User "<user-name>" successfully authenticated from <ip-address>.
> {code}
> I have additionally verified that the same login attempt (with the same
> user/credentials) will result in successful login and access to the guacamole
> application when I temporarily deploy WITHOUT the TOTP extension for testing
> purposes. As I require the MFA protection provided by TOTP, this is not an
> acceptable option in this situation.
> The problem:
> In response to this successful login, the TOTP plugin proceeds to attempt to
> add/update the associated user in the Postgres DB. This fails as is shown in
> the following guacamole log entries.
> {code:none}
> 15:25:41.003 [http-nio-8080-exec-4] ERROR o.a.g.rest.RESTExceptionMapper -
> Unexpected internal error:
> ### Error updating database. Cause: org.postgresql.util.PSQLException: ERROR:
> operator does not exist: integer = character varying
> Hint: No operator matches the given name and argument types. You might need
> to add explicit type casts.
> Position: 487
> ### The error may involve
> org.apache.guacamole.auth.jdbc.user.UserMapper.update-Inline
> ### The error occurred while setting parameters
> ### SQL: UPDATE guacamole_user SET password_hash = ?, password_salt = ?,
> password_date = ?, disabled = ?, expired = ?, access_window_start = ?,
> access_window_end = ?, valid_from = ?, valid_until = ?, timezone = ?,
> full_name = ?, email_address = ?, organization = ?, organizational_role = ?
> WHERE user_id = ?
> ### Cause: org.postgresql.util.PSQLException: ERROR: operator does not exist:
> integer = character varying
> {code}
> The associated stack trace stems from
> org.apache.guacamole.auth.totp.TOTPAuthenticationProvider.decorate(TOTPAuthenticationProvider.java:76)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
