You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Nick Couchman (Jira)" <ji...@apache.org> on 2020/11/13 18:55:00 UTC

[jira] [Updated] (GUACAMOLE-1212) Support 2FA Directly in LDAP Extension

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Couchman updated GUACAMOLE-1212:
-------------------------------------
    Summary: Support 2FA Directly in LDAP Extension  (was: Cannot authenticate with OTP-enabled LDAP user)

> Support 2FA Directly in LDAP Extension
> --------------------------------------
>
>                 Key: GUACAMOLE-1212
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Brett Smith
>            Priority: Minor
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and configured and it works fine for users who do not have 2FA enabled. For our users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see that guacamole passes the username and password to the LDAP server twice. This works fine for a traditional username and password, but for a 2FA-enabled user, the second authentication attempt returns failure since the TOTP is one-time use. 2FA login attempts result in the guacamole logs outputting "successfully authenticated" while the web UI shows "Invalid Login" in a red banner.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)