On Fri, Apr 23, 2021 at 10:10 AM Jelle de Jong <[email protected]>
wrote:
> Hello everybody,
>
> I have an external authenticator FreeIPA that I use to authenticate many
> services. It has an OTP system built-in that allows the password field
> to be in the form of password+otp.
>
> This works fine for all services except for Guacamole.
>
> I was using the pam-auth module with the server connected as an
> ipaclient with sssd auth. This works perfect when not using otp enabled
> password (I can turn this off and on in FreeIPA per user). It shows me
> all connections that were configured in unix-user-mapping.xml.
>
> I switched to Guacamole 1.3.0 because it has support for password
> prompting for RDP connections?
>
Yes.
> So I login with password+otp and the login works but none of my
> connections are shown....
>
> I removed the whole pam-auth and switched to ldap-auth today. It seems I
> can not configure my groups and connections with a text file anymore and
> I need to use the mysql and web interface? Is there a way to do the
> configuration in a xml file so I can automate it?
>
The file you were using ("unix-user-mapping.xml") is not a file that
Guacamole itself defines. It's a file used only by the PAM extension you
were using. Switching from the third-party PAM extension to LDAP will mean
that nothing is reading that file.
The standard XML file used by Guacamole independent of extensions is
"user-mapping.xml", but this cannot be used with LDAP, nor is the XML file
really intended for production use. You will need to define your
connections in one of the supported databases and use that alongside LDAP.
As far as automation is concerned, just as the XML isn't aimed at
production use, it's a bit of an anti-pattern to automate generation of XML
as a means of automating your configuration. Depending on the specifics of
what you're looking for, the prescribed route would either be using SQL or
writing an extension that automatically defines everything, perhaps without
any underlying storage at all.
I logged in using password only and my connection is shown! Perfect! I
> login with password+otp and my connections are not shown anymore!
>
> This is part of the debug log:
>
> [2021-04-23 18:48:59] [info] 18:48:59.186 [http-nio-8080-exec-9] DEBUG
> o.a.g.a.l.AuthenticationProviderService - LDAP bind succeeded for
> "l.gaga" during authentication but failed during data retrieval.
>
> So the debug shows it does some kind of multiple bind or looking with
> the password provided, which will never work because it is a one time
> password.
>
> What is going on? I am using an LDAP admin bind with a password. It
> should not need to do multiple binds to authenticate the user with the
> provided user password so I can use the password+otp format.
>
The authentication and authorization process within Guacamole is two-step:
1) Authenticate the user (determine their identity) - only one extension
will ultimately decide this.
2) Authorize the user (determine what they have access to) - all installed
extensions are polled to provide data for the user that was authenticated.
The second bind is occurring during that second step, and the current LDAP
implementation is indeed written to do this via a separate LDAP connection
and bind for each. I'm sure it's possible to restructure things within LDAP
such that the authorization step can reuse the connection from the
authentication step, but that's just not what the code currently does.
There would need to be some changes for the LDAP support to work with a
server that requires a unique password for each bind attempt.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.
