[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291471#comment-17291471
]
Mirek Malinowski commented on GUACAMOLE-1212:
---------------------------------------------
I've attached the TRACE level log from the authentication process. If not
enough happy to make changes in the code to be more verbose, recompile and
re-run to get the exact message, but those probably have to be done in
org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse
function. I think it could be something to do with how FreeIPA has changed the
sssd module where if OTP is enabled it's by default expecting two prompts. We
had the same issue with RDP, fortunately for RDP it's an easy workaround as
they allow you to override the default behaviour to only ask for single_prompt,
unfortunately there is no such option for LDAP clients, however other LDAP
clients I've tested such us Apache Directory Studio and our VPN are working
fine with just a single prompt but it could be down to the point they don't do
2nd authentication/injection to get any extra user data.
[https://sssd.io/docs/design_pages/pam_conversation_for_otp.html]
https://sssd.io/docs/design_pages/prompting_for_multiple_authentication_types.html
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
