[jira] [Commented] (GUACAMOLE-1212) Support 2FA Directly in LDAP Extension

Sun, 28 Feb 2021 10:36:08 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292464#comment-17292464
 ] 

Mike Jumper commented on GUACAMOLE-1212:
----------------------------------------

{quote}
I'm on the fence about even making that an option, and it definitely should not 
be the default mode - the current method of authenticating with the user who is 
logging in is very intentionally designed.
{quote}

I agree that we definitely cannot use the search credentials for data retrieval 
by default. There are cases where doing so would be useful (retrieval of group 
memberships), but only if the admin enables this.

Either way, I don't think this applies here. If the concern is that the user 
will be repeatedly prompted for credentials:

* I don't believe this is currently the case. IIRC, the LDAP auth will query 
everything it can as part of the login process, and then cache those resources 
until the user logs out.
* If LDAP queries _are_ repeatedly issued over the course of the session, then 
we should probably just maintain an open connection with the LDAP server while 
the user is logged in.

> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
>                 Key: GUACAMOLE-1212
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Brett Smith
>            Priority: Minor
>         Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and 
> configured and it works fine for users who do not have 2FA enabled. For our 
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see 
> that guacamole passes the username and password to the LDAP server twice. 
> This works fine for a traditional username and password, but for a 
> 2FA-enabled user, the second authentication attempt returns failure since the 
> TOTP is one-time use. 2FA login attempts result in the guacamole logs 
> outputting "successfully authenticated" while the web UI shows "Invalid 
> Login" in a red banner.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to