[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292206#comment-17292206
]
Mirek Malinowski commented on GUACAMOLE-1212:
---------------------------------------------
Please find a response from the FreeIPA team, it looks like reusing the OTP
token is not allowed and the correct way of doing it would be to reuse the
existing connection rather than create a new one.
""""""
LDAP bind with OTP is done by providing password and OTP code as a
single string. If your LDAP client attempts to reuse the same
credentials (e.g. password+OTP code) twice, that's wrong and should
never be done. After all, it is one time password, should not be cached
and re-authenticated.
Guacamole's LDAP implementation seems to assume that once it gets some
credentials to authenticate to LDAP, it will be able to re-establish new
LDAP connection and re-authenticate with these credentials over and over
again. This is wrong for OTP authentication, you cannot do that,
regardless of the protocol used to bear the authentication request.
So I would suggest you to explain to Guacamole developers that they need
to support a situation when credentials need to be re-requested from a
user every time this authentication has to happen instead of caching
them. I also would suggest to having this as a configuration option to
disable credential caching because otherwise an invalid LDAP bind would
always increase user failed authentication count and may lock user out
faster than expected.
""""""""
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
