Mirek Malinowski created GUACAMOLE-1301:
-------------------------------------------
Summary: LDAP auth against FreeIPA with OTP enabled throw invalid
login, Tomcat logs shows successfully authenticated. Works fine for non-otp
users.
Key: GUACAMOLE-1301
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1301
Project: Guacamole
Issue Type: Bug
Components: guacamole-auth-ldap
Affects Versions: 1.3.0
Environment: Ubuntu 20.04 server
Linux guacamole 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021
x86_64 x86_64 x86_64 GNU/Linux
Reporter: Mirek Malinowski
Hi,
We are at the stage of deploying FreeIPA 2FA for all our users and services.
Guacamole is in docker containers. During initial testing it turns out users
with OTP enabled are unable to log in to the front-end, however running "docker
shows logs guacamole" is showing:
14:12:11.440 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService -
User "c111111" successfully authenticated from 10.0.0.6.
When I in purpose type wrong password it's correctly showing failed, also when
OTP for the same user is disabled, a user is able to log in.
14:11:43.730 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService -
Authentication attempt from 10.0.0.6 for user "c111111" failed.
I wonder if it has anything to do with the latest changes to FreeIPA sssd
implementation where they allow multiple authentication options and for 2FA
they try to introduce two prompts for password and 2nd for OTP token.
[https://github.com/neutrinolabs/xrdp/issues/676]
There is a workaround to enable password and otp authentications in FreeIPA and
surprisingly then I can log in using password only and then on hosts I can
restrict ssh and rdp to password+otp only, however by doing it we also weaken
our VPN security as then you can log in to VPN with password only as FreeIPA is
our central LDAP store.
Also as a test, I've downloaded Apache Directory Studio and authentication
there is working fine, so maybe Guacamole after auth is doing some extra checks
and that's where is failing and it would also explain why logs are showing
successfully authenticated, don't know as I'm no Java expert.
Just to be precise we use LDAP without extra changes in LDAP schema.
My docker-setup is as follow:
version: '3'
services:
guacdb:
container_name: guacdb
image: mysql/mysql-server
restart: unless-stopped
volumes:
- '/data/mysql/var/lib/mysql:/var/lib/mysql'
environment:
MYSQL_ROOT_PASSWORD: <PWD>
MYSQL_DATABASE: 'guacamoledb'
MYSQL_USER: 'guacadmin'
MYSQL_PASSWORD: <PWD>
guacd:
image: guacamole/guacd
container_name: guacd
restart: unless-stopped
guacamole:
image: guacamole/guacamole
container_name: guacamole
restart: unless-stopped
ports:
- 8080:8080
links:
- guacd
- guacdb
volumes:
- '/data/guacamole/etc/ssl/certs/lab-ipa:/etc/ssl/certs/lab-ipa'
command: sh -c "keytool -storepass changeit -importcert -noprompt -alias
labipa -file /etc/ssl/certs/lab-ipa/lab-ipa.mydomain.lab.pam -keystore
/usr/local/openjdk-8/jre/lib/security/cacerts && /opt/guacamole/bin/start.sh"
environment:
GUACD_HOSTNAME: guacd
MYSQL_HOSTNAME: guacdb
MYSQL_DATABASE: guacamoledb
MYSQL_USER: guacadmin
MYSQL_PASSWORD: <PWD>
LDAP_HOSTNAME: 'lab-ipa.mydomain.lab'
LDAP_PORT: 636
#LDAP_ENCRYPTION_METHOD: starttls
LDAP_ENCRYPTION_METHOD: ssl
LDAP_USER_BASE_DN: 'cn=users,cn=accounts,dc=mydomain,dc=lab'
LDAP_GROUP_BASE_DN: 'cn=groups,cn=accounts,dc=mydomain,dc=lab'
LDAP_SEARCH_BIND_DN: 'uid=guacadmin,cn=users,cn=accounts,dc=mydomain,dc=lab'
LDAP_SEARCH_BIND_PASSWORD: <PWD>
LDAP_USER_ATTRIBUTES: 'uid'
LDAP_USER_SEARCH_FILTER:
'(memberof=cn=guacamole-users,cn=groups,cn=accounts,dc=mydomain,dc=lab)'
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
