Hi Nick,
Group membership is the best way to go. I don't connect Guacamole to
LDAP server due to no group membership in Guacamole.
Ideally, I would like group membership in Guacamole working like this:
1. if a user is in Guracamole group, then login is activated for this user
2. if a user is in TOTP group, then TOTP is activated for this user
3. and more features can be added like this
Thanks,
Allen
On 4/13/2021 12:23 PM, Nick Couchman wrote:
On Tue, Apr 13, 2021 at 11:07 AM Allen Chen
<[email protected] <mailto:[email protected]>>
wrote:
Hi there,
I have upgraded Guacamole from 1.1.0 to 1.2.0 without any issues.
I just compiled guacamole-server-1.2.0 and replaced
guacamole-auth-jdbc-mysql, guacamole-auth-totp and
guacamole-1.2.0.war.
But now with 1.2.0, TOTP is activated for every users in DB.
In 1.1.0, we can control this by setting "Change own password".
Is there a way to change this behavior back? So we have an option to
activate TOTP on some users.
Yes, in version 1.2.0 we changed how extensions interact with other
extensions, essentially giving extensions like TOTP the ability to
interact with the database without the user having to have explicit
permissions. This was an intentional change, and the prior behavior -
where TOTP did not work unless the user had "Change own password"
option - was never designed to be a feature, it was just a byproduct
of how it was previously implemented.
There is currently a JIRA issue that aims at allowing TOTP to be
enabled/disabled based on group membership, but that is not
implemented, today, so there's currently no work-around or way to
restore the functionality you saw in 1.1.0.
https://issues.apache.org/jira/browse/GUACAMOLE-1219
<https://issues.apache.org/jira/browse/GUACAMOLE-1219>
-Nick
