On 4/23/21 9:17 PM, Mike Jumper wrote:
On Fri, Apr 23, 2021 at 10:10 AM Jelle de Jong
<[email protected] <mailto:[email protected]>> wrote:
Hello everybody,
I have an external authenticator FreeIPA that I use to authenticate
many
services. It has an OTP system built-in that allows the password field
to be in the form of password+otp.
This works fine for all services except for Guacamole.
I was using the pam-auth module with the server connected as an
ipaclient with sssd auth. This works perfect when not using otp enabled
password (I can turn this off and on in FreeIPA per user). It shows me
all connections that were configured in unix-user-mapping.xml.
I switched to Guacamole 1.3.0 because it has support for password
prompting for RDP connections?
Yes.
So I login with password+otp and the login works but none of my
connections are shown....
I removed the whole pam-auth and switched to ldap-auth today. It
seems I
can not configure my groups and connections with a text file anymore
and
I need to use the mysql and web interface? Is there a way to do the
configuration in a xml file so I can automate it?
The file you were using ("unix-user-mapping.xml") is not a file that
Guacamole itself defines. It's a file used only by the PAM extension you
were using. Switching from the third-party PAM extension to LDAP will
mean that nothing is reading that file.
The standard XML file used by Guacamole independent of extensions is
"user-mapping.xml", but this cannot be used with LDAP, nor is the XML
file really intended for production use. You will need to define your
connections in one of the supported databases and use that alongside LDAP.
As far as automation is concerned, just as the XML isn't aimed at
production use, it's a bit of an anti-pattern to automate generation of
XML as a means of automating your configuration. Depending on the
specifics of what you're looking for, the prescribed route would either
be using SQL or writing an extension that automatically defines
everything, perhaps without any underlying storage at all.
I logged in using password only and my connection is shown! Perfect! I
login with password+otp and my connections are not shown anymore!
This is part of the debug log:
[2021-04-23 18:48:59] [info] 18:48:59.186 [http-nio-8080-exec-9] DEBUG
o.a.g.a.l.AuthenticationProviderService - LDAP bind succeeded for
"l.gaga" during authentication but failed during data retrieval.
So the debug shows it does some kind of multiple bind or looking with
the password provided, which will never work because it is a one time
password.
What is going on? I am using an LDAP admin bind with a password. It
should not need to do multiple binds to authenticate the user with the
provided user password so I can use the password+otp format.
The authentication and authorization process within Guacamole is two-step:
1) Authenticate the user (determine their identity) - only one extension
will ultimately decide this.
2) Authorize the user (determine what they have access to) - all
installed extensions are polled to provide data for the user that was
authenticated.
The second bind is occurring during that second step, and the current
LDAP implementation is indeed written to do this via a separate LDAP
connection and bind for each. I'm sure it's possible to restructure
things within LDAP such that the authorization step can reuse the
connection from the authentication step, but that's just not what the
code currently does. There would need to be some changes for the LDAP
support to work with a server that requires a unique password for each
bind attempt.
Thank you for your answer and great work on Guacamole!
Can you explain this use-case to determination "what the user has access
to" especially with 1.3.0 how is the new prompting for credentials take
place, I expect this to show up within the guacamole GUI and not as a
dialogue in the RDP client, but if I make a new connection with the GUI
and leave the username and password empty I do not get prompted.
I think I am also seeing LDAP doing everything twice in my logs, and I
have no clue why this is happing.
This is part of the log: https://paste.debian.net/plainh/2b27ad10
How can I disable the "data retrieval" part so it does a successful login?
Kind regards,
Jelle de Jong
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
