On Sun, Mar 29, 2020 at 7:48 PM <[email protected]> wrote: > ... > > The problem that I’m seeing occurs when I change the AD/LDAP password for > the user account. Yes, the new AD/LDAP password works just fine, but so > does the previous password (which I presume was stored nicely hashed/salted > in the DB.) I have noticed that I can manually change the user’s password > in the Guac Admin Interface and disable the old password, but until I do > the old password still works, and once the new LDAP password/2FA is > successfully used, the problem presents itself once again. > > > > I note that in the Guacamole documentation ( > https://guacamole.apache.org/doc/gug/ldap-auth.html), a directive such as > the following can be included for Database authentication: > > ... > > Any insight/suggestions would be appreciated. This is the sort of hole > that I see being caught by an auditor. >
It's not a hole, but rather how the system was explicitly configured. When you are using both LDAP and a database, you have two equally-valid authentication mechanisms available simultaneously. Your users will be able to use any valid credentials that you have created for them. If you have a username/password defined within the database, it is not excluded by the existence of the same user with a different password within LDAP. If you do not want your users to be able to log in with their database credentials, you will need to either not set a database password for those users in the first place, or reset their password such that only their LDAP credentials are valid. - Mike
