Questions About Using TOTP with LDAP

[Zer0Cool <me...@gmail.com>]

As per the documentation at
https://guacamole.apache.org/doc/gug/totp-auth.html:

"Prerequisites
...

* Another extension must be installed which supports storage of arbitrary
data from other extensions. Currently the only extensions provided with
Guacamole which support this kind of storage are the database authentication
extensions.

* Within whichever extension provides the storage described above, users
requiring TOTP must be granted permission to update their own accounts (to
update their passwords, etc.). This privilege is managed within the
administrative web interface with a checkbox labeled "change own password".
If a user lacks this permission, the TOTP extension will not be able to
generate and store the user's TOTP key during enrollment, and TOTP will be
disabled for that user."

OS: CentOS/RHEL 7.x
Guac: 1.0.0

My setup is typically mariadb and the LDAP extension. I have the parameters
in guacamole.properties for LDAP and have LDAP associated with the mariadb
database.

In this fashion, users are logging into Guacamole with their AD credentials.
Outside of Guacamole, from Windows using AD, most users can change their own
password when it expires, I am not 100% sure if they can do so at any time
(I will double check this).

However, I am confused as to if my setup meets the prerequisites,
specifically in regards to being able to change their own password. Even if
I checked this box for every user in Guac, I am not sure how this works with
LDAP. I am going to go out on a limb and assume that Guac cannot alter AD
credentials even with this box checked?

On the other hand would checking this box (change own password) create a
situation in which users can set their password for Guac to something other
than their password for AD? In other words the new password is stored in the
database and authentication is against that password instead of the AD
password?

Basically I am trying to find information about how LDAP associated with
mariadb database can co-exist with the TOTP extension for 2FA or if it is
not currently possible. Thanks



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Questions About Using TOTP with LDAP

[Zer0Cool <me...@gmail.com>]

Excellent, I will give it a shot and see how it works. Thanks



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Questions About Using TOTP with LDAP

[Nick Couchman <vn...@apache.org>]

On Fri, Jan 18, 2019 at 11:59 AM Zer0Cool <me...@gmail.com> wrote:

> Thanks for the reply.
>
> So given your insight, does this mean that my setup can/would meet the
> prerequisite of users being able to change their passwords or since I use
> LDAP for auth would LDAP and TOTP not work together?
>
>
Assuming your LDAP tree (Active Directory, OpenLDAP, etc.) allows users to
change their password, yes, this would be possible.  It will not work
within the Guacamole interface - changing the password within the Guacamole
interface will only change it within the JDBC extension, not within LDAP.

I believe TOTP and LDAP will work together, though I've not actually tried
it.  The users must exist in the database, and the TOTP information will be
stored in the database along with the user.

-Nick

Re: Questions About Using TOTP with LDAP

[Zer0Cool <me...@gmail.com>]

Thanks for the reply.

So given your insight, does this mean that my setup can/would meet the
prerequisite of users being able to change their passwords or since I use
LDAP for auth would LDAP and TOTP not work together?



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: Questions About Using TOTP with LDAP

[Nick Couchman <vn...@apache.org>]

On Thu, Jan 17, 2019 at 17:33 Zer0Cool <me...@gmail.com> wrote:

> As per the documentation at
> https://guacamole.apache.org/doc/gug/totp-auth.html:
>
> "Prerequisites
> ...
>
> * Another extension must be installed which supports storage of arbitrary
> data from other extensions. Currently the only extensions provided with
> Guacamole which support this kind of storage are the database
> authentication
> extensions.
>
> * Within whichever extension provides the storage described above, users
> requiring TOTP must be granted permission to update their own accounts (to
> update their passwords, etc.). This privilege is managed within the
> administrative web interface with a checkbox labeled "change own password".
> If a user lacks this permission, the TOTP extension will not be able to
> generate and store the user's TOTP key during enrollment, and TOTP will be
> disabled for that user."
>
> OS: CentOS/RHEL 7.x
> Guac: 1.0.0
>
> My setup is typically mariadb and the LDAP extension. I have the parameters
> in guacamole.properties for LDAP and have LDAP associated with the mariadb
> database.
>
> In this fashion, users are logging into Guacamole with their AD
> credentials.
> Outside of Guacamole, from Windows using AD, most users can change their
> own
> password when it expires, I am not 100% sure if they can do so at any time
> (I will double check this).


Usually they can change it at time unless this has been explicit disabled.


>
> However, I am confused as to if my setup meets the prerequisites,
> specifically in regards to being able to change their own password. Even if
> I checked this box for every user in Guac, I am not sure how this works
> with
> LDAP. I am going to go out on a limb and assume that Guac cannot alter AD
> credentials even with this box checked?


The box in Guacamole for allowing users to change their password is
specific to the JDBC extension, and does not impact LDAP.


>
> On the other hand would checking this box (change own password) create a
> situation in which users can set their password for Guac to something other
> than their password for AD? In other words the new password is stored in
> the
> database and authentication is against that password instead of the AD
> password?


Correct.  In the situation where a user is authenticating via LDAP you
probably don't want then to be able to change their password.

-Nick