Hello all,
I am very happy that I have Guacamole working just fine using LDAP against my AD + mySQL authentication/management. Everything works as advertised. I have also successfully added TOTP 2FA to the mix, which I'm happy about and works fine. That said, "as advertised" it may have a hole in it that either I've not configured for properly, or whichever. It would seem that I can initially connect with a purely AD/LDAP user using TOTP/2FA just fine (presuming I've set the user account to allow "Change own password" permissions ahead of time.) This is as advertised. The problem that I'm seeing occurs when I change the AD/LDAP password for the user account. Yes, the new AD/LDAP password works just fine, but so does the previous password (which I presume was stored nicely hashed/salted in the DB.) I have noticed that I can manually change the user's password in the Guac Admin Interface and disable the old password, but until I do the old password still works, and once the new LDAP password/2FA is successfully used, the problem presents itself once again. I note that in the Guacamole documentation (https://guacamole.apache.org/doc/gug/ldap-auth.html), a directive such as the following can be included for Database authentication: # MySQL mysql-user-required: true However, I do not see anything similar to require LDAP Authentication. I think the problem might be resolved with a similar directive, but see no documentation to the point. Any insight/suggestions would be appreciated. This is the sort of hole that I see being caught by an auditor. Thanks
