[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292462#comment-17292462
]
Nick Couchman commented on GUACAMOLE-1212:
------------------------------------------
{quote}
For point 1 it's only an issue for SSSD and FreeITP team has confirmed SSSD is
not used here is a plain direct LDAP connection so password+otp in the single
string is sufficient.
{quote}
For your use-case, yes, but this ticket was opened by someone else who may have
a different scenario where they want to be able to put in the OTP separate from
the password (or PIN, however that works). I don't think one necessarily ought
to negate the other, and I'm not in favor of throwing out the original
request/issue.
{quote}
For point 2, the fix for a scenario where LDAP is only used for authentication
would be very simple just not do 2nd connection and could be controlled by an
extra flag in the config.
{quote}
Yes, when LDAP is used for authentication only, this should be doable. But, as
that's not the only way it's used, it must scale outside of that, and the
configuration storage scenarios have to be taken into consideration.
{quote}
For scenarios where Guacamole settings are stored in LDAP maybe a user from the
config could be used to query LDAP for all queries, that user is not 2FA so the
connection could be open as many times as needed.
{quote}
The problem with this approach is that the LDAP extension relies upon LDAP
security of the user logging in to control what the user has access to. If this
gets changes to where a generic "search user" is used (outside of locating the
original user account), then it negates that part of the LDAP module's
security. I'm on the fence about even making that an option, and it definitely
should not be the default mode - the current method of authenticating with the
user who is logging in is very intentionally designed.
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
