Mike,
Thank you for your quick response. I think the scenario is complicated by the addition of the TOTP extension, which requires allowing users to change their own Guacamole password. To test, I did the following: 1. I created a new user in AD (“guactest” as a member of the required AD group for Guacamole) and set a completely new password. 2. I logged in to the Guacamole Admin interface using the “guacadmin” login (which required TOTP 2FA) 3. I changed _only_ the “Change own password” option to be true (checked) in the interface for the new user. 4. I logged out of Guacamole as “guacadmin” 5. I logged in to Guacamole as the test AD user (“guactest” using the brand new password,) added the required TOTP profile into FreeOTP app on my iPhone using the supplied QR code, and authenticated 6. I logged out of Guacamole as the test AD user 7. I changed the test AD user (“guactest”) password to something else completely new 8. I am now able to log in to Guacamole, including TOTP authentication, using the “guactest” user and either the new or old password 9. I can change the “guactest” password in the Guacamole management interface to some random password, which breaks the old password, but once I again change the AD password and log in successfully (including TOTP 2FA) the old/second password is again valid. I believe the problem is directly related to the requirement of the TOTP extension to allow the user to change their own password. If I could somehow force Guacamole to require LDAP (AD in this case) authentication and ignore the DB password (which, again, is nicely hashed/salted,) that would be better. A simple directive for LDAP requirement yet allowing for DB management would suffice I think. Thanks From: Mike Jumper <[email protected]> Sent: Sunday, March 29, 2020 10:04 PM To: [email protected] Subject: Re: LDAP (MS AD) + mySQL DB Auth + TOTP issue? On Sun, Mar 29, 2020 at 7:48 PM <[email protected] <mailto:[email protected]> > wrote: ... The problem that I’m seeing occurs when I change the AD/LDAP password for the user account. Yes, the new AD/LDAP password works just fine, but so does the previous password (which I presume was stored nicely hashed/salted in the DB.) I have noticed that I can manually change the user’s password in the Guac Admin Interface and disable the old password, but until I do the old password still works, and once the new LDAP password/2FA is successfully used, the problem presents itself once again. I note that in the Guacamole documentation (https://guacamole.apache.org/doc/gug/ldap-auth.html), a directive such as the following can be included for Database authentication: ... Any insight/suggestions would be appreciated. This is the sort of hole that I see being caught by an auditor. It's not a hole, but rather how the system was explicitly configured. When you are using both LDAP and a database, you have two equally-valid authentication mechanisms available simultaneously. Your users will be able to use any valid credentials that you have created for them. If you have a username/password defined within the database, it is not excluded by the existence of the same user with a different password within LDAP. If you do not want your users to be able to log in with their database credentials, you will need to either not set a database password for those users in the first place, or reset their password such that only their LDAP credentials are valid. - Mike
