[jira] [Commented] (GUACAMOLE-1212) Support 2FA Directly in LDAP Extension

Mon, 26 Apr 2021 08:08:06 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17332480#comment-17332480
 ] 

Nick Couchman commented on GUACAMOLE-1212:
------------------------------------------

{quote}
If leveraging the sysaccount bind will solve Guac attempting to use the user's 
OTP multiple times, that seems like the right approach to me. Bind accounts do 
not degrade the security of LDAP; most LDAP-aware applications use a bind 
account for searching the directory.
{quote}

I'm not opposed to having that as an option (as mentioned before), but not by 
default. I agree that bind accounts do not, in and of themselves, degrade the 
security of LDAP - it depends upon how you use them. That has never been my 
point - my point is that the Guacamole LDAP extension is _designed_ to leverage 
LDAP security. Thus, changing this behavior in the LDAP module *will* impact 
the security of the LDAP module in ways that may matter to other users. It may 
not impact you and your use-case, but it is relevant to how we've designed the 
LDAP module to be deployed, and that has to be factored into this. It is one of 
the reasons why we won't make this behavior - using the bind account for all 
LDAP operations - the default behavior - it will be something you have to 
manually change in the config file.

> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
>                 Key: GUACAMOLE-1212
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Brett Smith
>            Priority: Minor
>         Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and 
> configured and it works fine for users who do not have 2FA enabled. For our 
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see 
> that guacamole passes the username and password to the LDAP server twice. 
> This works fine for a traditional username and password, but for a 
> 2FA-enabled user, the second authentication attempt returns failure since the 
> TOTP is one-time use. 2FA login attempts result in the guacamole logs 
> outputting "successfully authenticated" while the web UI shows "Invalid 
> Login" in a red banner.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to