[
https://issues.apache.org/jira/browse/GUACAMOLE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman closed GUACAMOLE-1301.
------------------------------------
Resolution: Duplicate
This isn't a bug, per se, but something that needs to be implemented in the
LDAP extension - and there's already a JIRA issue for it: GUACAMOLE-1212
> LDAP auth against FreeIPA with OTP enabled throw invalid login, Tomcat logs
> shows successfully authenticated. Works fine for non-otp users.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-1301
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1301
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 1.3.0
> Environment: Ubuntu 20.04 server
> Linux guacamole 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021
> x86_64 x86_64 x86_64 GNU/Linux
> Reporter: Mirek Malinowski
> Priority: Major
> Labels: freeipa, ldap, totp
>
> Hi,
> We are at the stage of deploying FreeIPA 2FA for all our users and services.
> Guacamole is in docker containers. During initial testing it turns out users
> with OTP enabled are unable to log in to the front-end, however running
> "docker shows logs guacamole" is showing:
> 14:12:11.440 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService
> - User "c111111" successfully authenticated from 10.0.0.6.
> When I in purpose type wrong password it's correctly showing failed, also
> when OTP for the same user is disabled, a user is able to log in.
> 14:11:43.730 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService -
> Authentication attempt from 10.0.0.6 for user "c111111" failed.
>
> I wonder if it has anything to do with the latest changes to FreeIPA sssd
> implementation where they allow multiple authentication options and for 2FA
> they try to introduce two prompts for password and 2nd for OTP token.
> [https://github.com/neutrinolabs/xrdp/issues/676]
> There is a workaround to enable password and otp authentications in FreeIPA
> and surprisingly then I can log in using password only and then on hosts I
> can restrict ssh and rdp to password+otp only, however by doing it we also
> weaken our VPN security as then you can log in to VPN with password only as
> FreeIPA is our central LDAP store.
> Also as a test, I've downloaded Apache Directory Studio and authentication
> there is working fine, so maybe Guacamole after auth is doing some extra
> checks and that's where is failing and it would also explain why logs are
> showing successfully authenticated, don't know as I'm no Java expert.
> Just to be precise we use LDAP without extra changes in LDAP schema.
> My docker-setup is as follow:
> version: '3'
> services:
> guacdb:
> container_name: guacdb
> image: mysql/mysql-server
> restart: unless-stopped
> volumes:
> - '/data/mysql/var/lib/mysql:/var/lib/mysql'
> environment:
> MYSQL_ROOT_PASSWORD: <PWD>
> MYSQL_DATABASE: 'guacamoledb'
> MYSQL_USER: 'guacadmin'
> MYSQL_PASSWORD: <PWD>
> guacd:
> image: guacamole/guacd
> container_name: guacd
> restart: unless-stopped
> guacamole:
> image: guacamole/guacamole
> container_name: guacamole
> restart: unless-stopped
> ports:
> - 8080:8080
> links:
> - guacd
> - guacdb
> volumes:
> - '/data/guacamole/etc/ssl/certs/lab-ipa:/etc/ssl/certs/lab-ipa'
> command: sh -c "keytool -storepass changeit -importcert -noprompt -alias
> labipa -file /etc/ssl/certs/lab-ipa/lab-ipa.mydomain.lab.pam -keystore
> /usr/local/openjdk-8/jre/lib/security/cacerts && /opt/guacamole/bin/start.sh"
> environment:
> GUACD_HOSTNAME: guacd
> MYSQL_HOSTNAME: guacdb
> MYSQL_DATABASE: guacamoledb
> MYSQL_USER: guacadmin
> MYSQL_PASSWORD: <PWD>
> LDAP_HOSTNAME: 'lab-ipa.mydomain.lab'
> LDAP_PORT: 636
> #LDAP_ENCRYPTION_METHOD: starttls
> LDAP_ENCRYPTION_METHOD: ssl
> LDAP_USER_BASE_DN: 'cn=users,cn=accounts,dc=mydomain,dc=lab'
> LDAP_GROUP_BASE_DN: 'cn=groups,cn=accounts,dc=mydomain,dc=lab'
> LDAP_SEARCH_BIND_DN: 'uid=guacadmin,cn=users,cn=accounts,dc=mydomain,dc=lab'
> LDAP_SEARCH_BIND_PASSWORD: <PWD>
> LDAP_USER_ATTRIBUTES: 'uid'
> LDAP_USER_SEARCH_FILTER:
> '(memberof=cn=guacamole-users,cn=groups,cn=accounts,dc=mydomain,dc=lab)'
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
