You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Chris Ruettimann (Jira)" <ji...@apache.org> on 2022/04/14 13:06:00 UTC

[jira] [Comment Edited] (GUACAMOLE-1212) Support 2FA Directly in LDAP Extension

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17522116#comment-17522116 ] 

Chris Ruettimann edited comment on GUACAMOLE-1212 at 4/14/22 1:05 PM:
----------------------------------------------------------------------

Hi 
We hit the same issue these days.
After spending long time to find the root-cause, we would like to ask if there is any known kind of workaround to get around this issue:
 - using user-ldap-auth for password checking just once, and bind-ldap-account (from guacamole config) for all other requests (could not find a valid pull request?)
  I am not a developper, so for sure you "just dont want" to see a PR, I have written, believe me :)
 - nginx_mod_ldap (I tested, this is using the creds as well multiple times and hit the same issue :()
 - guacamole -> radius -> freeipa > "user with totp enabled" (we have not tested so far)

Would be great to get around this issue, since it is not really an option to disable 2FA on FreeIPA

Maybe a crowd-funding would help, for sure we would spend some money to get a proper solution, maybe others would do as well?

Thanks for helping and sharing.
Chris
-----------------------------------------
Update:
We got it working with minor issues:
FreeIPA: v4.9.6 (Alma8)
FreeRadius: v3.0 (Alma8)
Guacamole: v1.4
- Installed Freeradius listening only on localhost
- Installed Guacamole Radius Auth extenstion
Outcome:
- Auth works with freeipa-user and password+totp30
- user and its objects (perms, groups, connections, ...) need to be created with guacadmin first, then they will work as needed:
- perms and objects from mysql config database
- auth from radius (freeipa in backend)

LINKS:
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7
https://techviewleo.com/install-freeradius-and-daloradius-on-rocky-almalinux/
https://guacamole.apache.org/doc/gug/radius-auth.html
https://www.freeipa.org/page/V4/OTP


was (Author: christian773):
Hi 
We hit the same issue these days.
After spending long time to find the root-cause, we would like to ask if there is any known kind of workaround to get around this issue:
- using user-ldap-auth for password checking just once, and bind-ldap-account (from guacamole config) for all other requests (could not find a valid pull request?)
  I am not a developper, so for sure you "just dont want" to see a PR, I have written, believe me :)
- nginx_mod_ldap (I tested, this is using the creds as well multiple times and hit the same issue :()
- guacamole -> radius -> freeipa > "user with totp enabled" (we have not tested so far)

Would be great to get around this issue, since it is not really an option to disable 2FA on FreeIPA

Maybe a crowd-funding would help, for sure we would spend some money to get a proper solution, maybe others would do as well?

Thanks for helping and sharing.
Chris

> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
>                 Key: GUACAMOLE-1212
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Brett Smith
>            Priority: Minor
>         Attachments: user-with-otp-trace-level.log
>
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and configured and it works fine for users who do not have 2FA enabled. For our users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see that guacamole passes the username and password to the LDAP server twice. This works fine for a traditional username and password, but for a 2FA-enabled user, the second authentication attempt returns failure since the TOTP is one-time use. 2FA login attempts result in the guacamole logs outputting "successfully authenticated" while the web UI shows "Invalid Login" in a red banner.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)