[jira] [Commented] (GUACAMOLE-1333) Force second auth

Sun, 25 Apr 2021 00:20:07 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331434#comment-17331434
 ] 

Nicolas Baudrand commented on GUACAMOLE-1333:
---------------------------------------------

Thanks for your answer Mike

And what about duplicating the radius plugin as a radius2fa and force 
GuacamoleInsufficientCredentialsException so that it acts like duo or totp.

I don't have any knowledge in code so I have no idea of how hard it is.Le 24 
avr. 2021 20:49, "Mike Jumper (Jira)" <[email protected]> a écrit :

[ 
https://issues.apache.org/jira/browse/GUACAMOLE-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331310#comment-17331310
 ]

Mike Jumper a commentée sur GUACAMOLE-1333:
----------------------------------------

{quote}
Is it possible to force a second auth after LDAP (returning 
GuacamoleInsufficientCredentialsException) so that we can ask for OTP after 
LDAP.
{quote}

No, that would be too much of a hack. It could make sense to allow LDAP to be 
configured to supply only data, or to allow the overall set of sources of 
identity to be limited. For example, something like:

{code:none}
identity-providers: radius, mysql
{code}

{quote}
With username+otp or username+pass+otp (radius), I have an empty profile 
because no groups are returned by radius.
{quote}

If the only issue here is that you need access to both groups and RADIUS, I 
believe this is a duplicate of GUACAMOLE-792 (group support for RADIUS).




--
Ce message a été envoyé par Atlassian Jira
(v8.3.4#803005)


> Force second auth
> -----------------
>
>                 Key: GUACAMOLE-1333
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1333
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap, 
> guacamole-auth-radius
>    Affects Versions: 1.3.0
>            Reporter: Nicolas Baudrand
>            Priority: Minor
>
> Hi !
> We're using Guacamole Auth ldap and then map returned groups with existing 
> mysql groups to assign profiles.
> Now, we want to ask for TOTP to our central server that is reachable by 
> radius.
> So, I have enabled auth-jdbc, auth-ldap and auth-radius
> With username+pass (ldap), I access to my AD group profile.
> With username+otp or username+pass+otp (radius), I have an empty profile 
> because no groups are returned by radius.
> Is it possible to force a second auth after LDAP (returning 
> GuacamoleInsufficientCredentialsException) so that we can ask for OTP after 
> LDAP.
> Guacamole TOTP is great but not centralized and I don't want to ask my users 
> to register a new Token for each application.
>  
> Thanks a lot for this great product
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to