[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292105#comment-17292105
]
Mirek Malinowski commented on GUACAMOLE-1212:
---------------------------------------------
I've done more testing with LOGLEVE=TRACE and FreeIPA response is not very
helpful it's just sending back 0x31 for Invalid Credentials.
NO-OTP DEBUG org.apache.directory.api.CODEC_LOG - 0x30 0x0C 0x02 0x01 0x01
0x61 0x07 0x0A 0x01 *0x00* 0x04 0x00 0x04 0x00
WITH-OTP DEBUG org.apache.directory.api.CODEC_LOG - 0x30 0x0C 0x02 0x01 0x01
0x61 0x07 0x0A 0x01 *0x31* 0x04 0x00 0x04 0x00
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
