You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Jelle de Jong (Jira)" <ji...@apache.org> on 2021/04/26 12:00:00 UTC
[jira] [Commented] (GUACAMOLE-1212) Support 2FA Directly in LDAP
Extension
[ https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17332063#comment-17332063 ]
Jelle de Jong commented on GUACAMOLE-1212:
------------------------------------------
Me and Mike already had some discussion on the [user@guacamole.apache.org|mailto:user@guacamole.apache.org] mailing-list.
What I read here is that somehow the LDAP code is using the users credentials multiple times and not only for password validation? My experience with LDAP integrations is that there is an admin bind that is used for gathering group information and other data validations. I got many other LDAP integration working with the FreeIPA password+otp and I would really like to see Guacamole working as well.
In my /etc/guacamole/guacamole.properties I have these two options:
ldap-search-bind-dn: uid=externalldapadmin,cn=sysaccounts,cn=etc,dc=bothends,dc=lan
ldap-search-bind-password: secret
Would it not be an easy fix to change the LDAP binds to the admin bind and only use the user password validation during login, the group and permission escalations should could be done securely with the right username filters, if there are other look-ups later after the user is already logged in then this should also not be an issue.
I am also okay with the current password field that can handle password+otp for the LDAP backend and use the new password prompting features of 1.3.0 for the further connection.
> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Brett Smith
> Priority: Minor
> Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and configured and it works fine for users who do not have 2FA enabled. For our users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see that guacamole passes the username and password to the LDAP server twice. This works fine for a traditional username and password, but for a 2FA-enabled user, the second authentication attempt returns failure since the TOTP is one-time use. 2FA login attempts result in the guacamole logs outputting "successfully authenticated" while the web UI shows "Invalid Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)