On Mon, Nov 16, 2020 at 10:21 AM skidvd <[email protected]> wrote: > I have resolved this issue. To do so, I had to follow the following (less > than intuitive steps) that I could not find in the guacamole documentation > - > perhaps I missed them somehow? > > a) deploy guacamole docker image WITHOUT TOTP > b) login as guacadmin > c) create local user within guac for LDAP user > d) login to guac with LDAP (enabling ability to see AD users) > e) within guacamole, set setting for LDAP user to include 'change own > password' > f) redeploy guacamole docker image with TOTP > g) remember LDAP users are case sensitive > > LDAP users can now successfully login to guacamole and associate with MFA. > > Instead of going through those steps, did you try enabling the user auto-creation?
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-auto-create It doesn't look like this option is available as a Docker env variable, so you'd have to manually add it to guacamole.properties, but it should resolve at least some of those steps. Also, starting with version 1.2.0 of Guacamole, TOTP should not require that the user be able to modify their own account in order for the information to be stored, so, if you're really using 1.2.0, item "e" on your list definitely is not necessary. -Nick
