On Sat, Dec 15, 2018, 12:05 Not Speedy <notspeed...@gmail.com wrote: > Hi. > I noticed there is a way to pass the username/password through to NLA and > RDP connections to create a SSO like experience. It looks like I could > use the variables GUAC_USERNAME and GUAC_PASSWORD. ( or something like > that). > > I'm using PrivacyIdea (fork of linotp) to handle my OTP requirements > backed by ldap. So to signing, Id use username and password+OTP. Looking > something like this. 'john.doe' 'secret123456' > > This would get passed to NLA/RDP as "secret123456", which will not work. > Most radius/otp solutions will allow you to add the OTP at the front or end > of the PIN (password). Is there a way to pass this through while dropping > the OTP? Perhaps creating a configuration option that could drop the "front > or end by # character"? >
If your RDP server uses the same LDAP for auth, wouldn't dropping the OTP still not work since it would require its own OTP added to the password as well? If LDAP-driven OTP is common, an option for LDAP to split things up may be reasonable, but I'm uncertain. An option to drop the first/last N characters feels hacky. - Mike
