On Wed, May 13, 2020 at 12:11 PM Richard Diaz <[email protected]> wrote:
> Hello,
>
> I am deploying guacamole to a large number of users 1000+, all is well and
> ready to launch, but i would like to turn on 2FA, i understand that i can
> do this on the GUI on an individual level but this is not realistic for
> bulk, can someone tell me what mysql database flag needs to be modified to
> trigger enrollment.
>
>
Richard,
I assume you are talking about the TOTP extension? Simply installing that
extension should prompt anyone who logs in to activate the 2FA. The only
catch is that the users need to be able to modify themselves - that is,
change their own credentials. The DB entry for this is as follows:
guac=# SELECT * FROM guacamole_user_permission WHERE affected_user_id=4 AND
entity_id=4;
affected_user_id | permission | entity_id
------------------+------------+-----------
4 | READ | 4
4 | UPDATE | 4
In the above example, the user in question has ID of 4, so these entries
indicate that the user can update themselves. Basically, for each user,
you'd need to insert these two rows into the guacamole_user_permission
table that allow the user to update themselves. Note that, in my case the
user_id and entity_id match - this may not always be the case, so you need
to make sure you get the correct user_id and entity_id for the user. This
should be fairly easily doable with some SQL queries or views...
-Nick
