ldap-auth not working with external password+otp login probably due to multiple lookups with same password

Fri, 23 Apr 2021 10:10:56 -0700 

Hello everybody,
I have an external authenticator FreeIPA that I use to authenticate many services. It has an OTP system built-in that allows the password field to be in the form of password+otp. 

This works fine for all services except for Guacamole.


I was using the pam-auth module with the server connected as an 
ipaclient with sssd auth. This works perfect when not using otp enabled 
password (I can turn this off and on in FreeIPA per user). It shows me 
all connections that were configured in unix-user-mapping.xml.



I switched to Guacamole 1.3.0 because it has support for password 
prompting for RDP connections?



So I login with password+otp and the login works but none of my 
connections are shown....



I removed the whole pam-auth and switched to ldap-auth today. It seems I 
can not configure my groups and connections with a text file anymore and 
I need to use the mysql and web interface? Is there a way to do the 
configuration in a xml file so I can automate it?



I logged in using password only and my connection is shown! Perfect! I 
login with password+otp and my connections are not shown anymore!


This is part of the debug log:


[2021-04-23 18:48:59] [info] 18:48:59.186 [http-nio-8080-exec-9] DEBUG 
o.a.g.a.l.AuthenticationProviderService - LDAP bind succeeded for 
"l.gaga" during authentication but failed during data retrieval.



So the debug shows it does some kind of multiple bind or looking with 
the password provided, which will never work because it is a one time 
password.



What is going on? I am using an LDAP admin bind with a password. It 
should not need to do multiple binds to authenticate the user with the 
provided user password so I can use the password+otp format.


from /etc/guacamole/guacamole.properties:


ldap-search-bind-dn: 
uid=externalldapadmin,cn=sysaccounts,cn=etc,dc=bothends,dc=lan

ldap-search-bind-password: secret

Can somebody help and check the ldap and/or pam authenticator?


Please let me know what logs are needed if any? The debug mode provides 
a lot of lines...


Kind regards,

Jelle de Jong

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to