[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17332443#comment-17332443
]
Nick Couchman commented on GUACAMOLE-1212:
------------------------------------------
{quote}
Would it not be an easy fix to change the LDAP binds to the admin bind and only
use the user password validation during login, the group and permission
escalations should could be done securely with the right username filters, if
there are other look-ups later after the user is already logged in then this
should also not be an issue.
{quote}
I'm not sure it's an easy fix, but it is doable. That said, while we may look
at making this configurable, it will probably not be the default - the LDAP
extension as it operates today is designed _intentionally_ to operate the way
it does - that is, use the search user _only_ for locating the user that is
logging in, and then use the logged in user for all other binds after that. In
this way, it leverages the security built-in to LDAP in order to provide access
to the resources that the LDAP user should be able to access.
{quote}
I am also okay with the current password field that can handle password+otp for
the LDAP backend and use the new password prompting features of 1.3.0 for the
further connection.
{quote}
I'm not entirely sure what you mean, here - the current password field can
handle password+otp (the LDAP extension just doesn't know how to prompt for the
OTP separate from the password). However, I think making sure that the LDAP
connection(s) are persistent for the life of the Guacamole session is probably
the best way to go.
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
