LDAP (MS AD) + mySQL DB Auth + TOTP issue?

[ke...@gmail.com]

Hello all,

 

I am very happy that I have Guacamole working just fine using LDAP against
my AD + mySQL authentication/management.  Everything works as advertised.  I
have also successfully added TOTP 2FA to the mix, which I'm happy about and
works fine.

 

That said, "as advertised" it may have a hole in it that either I've not
configured for properly, or whichever.  It would seem that I can initially
connect with a purely AD/LDAP user using TOTP/2FA just fine (presuming I've
set the user account to allow "Change own password" permissions ahead of
time.)  This is as advertised.  

 

The problem that I'm seeing occurs when I change the AD/LDAP password for
the user account.  Yes, the new AD/LDAP password works just fine, but so
does the previous password (which I presume was stored nicely hashed/salted
in the DB.)  I have noticed that I can manually change the user's password
in the Guac Admin Interface and disable the old password, but until I do the
old password still works, and once the new LDAP password/2FA is successfully
used, the problem presents itself once again.

 

I note that in the Guacamole documentation
(https://guacamole.apache.org/doc/gug/ldap-auth.html), a directive such as
the following can be included for Database authentication:

 

# MySQL

mysql-user-required: true

 

However, I do not see anything similar to require LDAP Authentication.  I
think the problem might be resolved with a similar directive, but see no
documentation to the point.

 

Any insight/suggestions would be appreciated.  This is the sort of hole that
I see being caught by an auditor.

 

Thanks

RE: LDAP (MS AD) + mySQL DB Auth + TOTP issue?

[ke...@gmail.com]

Mike,

 

Thank you for your quick response.

 

I think the scenario is complicated by the addition of the TOTP extension, which requires allowing users to change their own Guacamole password.  To test, I did the following:

 

1.	I created a new user in AD (“guactest” as a member of the required AD group for Guacamole) and set a completely new password.
2.	I logged in to the Guacamole Admin interface using the “guacadmin” login (which required TOTP 2FA)
3.	I changed _only_ the “Change own password” option to be true (checked) in the interface for the new user.
4.	I logged out of Guacamole as “guacadmin”
5.	I logged in to Guacamole as the test AD user (“guactest” using the brand new password,) added the required TOTP profile into FreeOTP app on my iPhone using the supplied QR code, and authenticated
6.	I logged out of Guacamole as the test AD user
7.	I changed the test AD user (“guactest”) password to something else completely new
8.	I am now able to log in to Guacamole, including TOTP authentication, using the “guactest” user and either the new or old password
9.	I can change the “guactest” password in the Guacamole management interface to some random password, which breaks the old password, but once I again change the AD password and log in successfully (including TOTP 2FA) the old/second password is again valid.

 

I believe the problem is directly related to the requirement of the TOTP extension to allow the user to change their own password.  If I could somehow force Guacamole to require LDAP (AD in this case) authentication and ignore the DB password (which, again, is nicely hashed/salted,) that would be better.

 

A simple directive for LDAP requirement yet allowing for DB management would suffice I think.

 

Thanks

 

From: Mike Jumper <mj...@apache.org> 
Sent: Sunday, March 29, 2020 10:04 PM
To: user@guacamole.apache.org
Subject: Re: LDAP (MS AD) + mySQL DB Auth + TOTP issue?

 

On Sun, Mar 29, 2020 at 7:48 PM <kendellwelch007@gmail.com <ma...@gmail.com> > wrote:

...

The problem that I’m seeing occurs when I change the AD/LDAP password for the user account.  Yes, the new AD/LDAP password works just fine, but so does the previous password (which I presume was stored nicely hashed/salted in the DB.)  I have noticed that I can manually change the user’s password in the Guac Admin Interface and disable the old password, but until I do the old password still works, and once the new LDAP password/2FA is successfully used, the problem presents itself once again.

 

I note that in the Guacamole documentation (https://guacamole.apache.org/doc/gug/ldap-auth.html), a directive such as the following can be included for Database authentication:

...

Any insight/suggestions would be appreciated.  This is the sort of hole that I see being caught by an auditor.

 

It's not a hole, but rather how the system was explicitly configured. When you are using both LDAP and a database, you have two equally-valid authentication mechanisms available simultaneously. Your users will be able to use any valid credentials that you have created for them. If you have a username/password defined within the database, it is not excluded by the existence of the same user with a different password within LDAP.

 

If you do not want your users to be able to log in with their database credentials, you will need to either not set a database password for those users in the first place, or reset their password such that only their LDAP credentials are valid.

 

- Mike

 

Re: LDAP (MS AD) + mySQL DB Auth + TOTP issue?

[Mike Jumper <mj...@apache.org>]

On Sun, Mar 29, 2020 at 7:48 PM <ke...@gmail.com> wrote:

> ...
>
> The problem that I’m seeing occurs when I change the AD/LDAP password for
> the user account.  Yes, the new AD/LDAP password works just fine, but so
> does the previous password (which I presume was stored nicely hashed/salted
> in the DB.)  I have noticed that I can manually change the user’s password
> in the Guac Admin Interface and disable the old password, but until I do
> the old password still works, and once the new LDAP password/2FA is
> successfully used, the problem presents itself once again.
>
>
>
> I note that in the Guacamole documentation (
> https://guacamole.apache.org/doc/gug/ldap-auth.html), a directive such as
> the following can be included for Database authentication:
>
> ...
>
> Any insight/suggestions would be appreciated.  This is the sort of hole
> that I see being caught by an auditor.
>

It's not a hole, but rather how the system was explicitly configured. When
you are using both LDAP and a database, you have two equally-valid
authentication mechanisms available simultaneously. Your users will be able
to use any valid credentials that you have created for them. If you have a
username/password defined within the database, it is not excluded by the
existence of the same user with a different password within LDAP.

If you do not want your users to be able to log in with their database
credentials, you will need to either not set a database password for those
users in the first place, or reset their password such that only their LDAP
credentials are valid.

- Mike