You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Alex Kaiser <al...@peaknet.at> on 2019/11/20 11:42:16 UTC
Max activation time for TOTP authentication with LDAP+mysql
Is it possible to set a timeframe within the user has to activate his TOTP authentication on the first logon attempt?
For example 48hrs after the user was added to the mysql database. Otherwise the account would be disabled.
Kind Regards
Alex Kaiser
Re: Max activation time for TOTP authentication with LDAP+mysql
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Nov 27, 2019 at 12:00 PM Alex Kaiser <al...@peaknet.at> wrote:
> I found a solution for deactivating not completed TOTP activations
>
>
>
> Use the valid_from field in the database for the first valid logon date
>
>
>
> Execute the following queries against the database (mysql) within a cron
> job. In my case I used a max activation time of 7 days
>
>
>
> UPDATE guacamole_user
>
> SET guacamole_user.disabled=1
>
> WHERE valid_from IS NULL;
>
>
>
> UPDATE guacamole_user
>
> LEFT JOIN guacamole_user_attribute
>
> ON guacamole_user.user_id=guacamole_user_attribute.user_id
>
> SET guacamole_user.disabled=1
>
> WHERE (valid_from < NOW() - INTERVAL 7 DAY) AND
> guacamole_user_attribute.attribute_name IS NULL;
>
>
>
> UPDATE guacamole_user
>
> LEFT JOIN guacamole_user_attribute
>
> ON guacamole_user.user_id=guacamole_user_attribute.user_id
>
> SET guacamole_user.disabled=1
>
> WHERE ((valid_from < NOW() - INTERVAL 7 DAY) AND
> (guacamole_user_attribute.attribute_name='guac-totp-key-confirmed')) AND
> (guacamole_user_attribute.attribute_value='false');
>
>
>
>
>
Thanks for sharing the solution! I'd still suggest that this be entered as
a feature request, as I think it's something multiple people will find
useful. But it's good to have a work-around for the time being.
-Nick
>
AW: Max activation time for TOTP authentication with LDAP+mysql
Posted by Alex Kaiser <al...@peaknet.at>.
I found a solution for deactivating not completed TOTP activations
Use the valid_from field in the database for the first valid logon date
Execute the following queries against the database (mysql) within a cron job. In my case I used a max activation time of 7 days
UPDATE guacamole_user
SET guacamole_user.disabled=1
WHERE valid_from IS NULL;
UPDATE guacamole_user
LEFT JOIN guacamole_user_attribute
ON guacamole_user.user_id=guacamole_user_attribute.user_id
SET guacamole_user.disabled=1
WHERE (valid_from < NOW() - INTERVAL 7 DAY) AND guacamole_user_attribute.attribute_name IS NULL;
UPDATE guacamole_user
LEFT JOIN guacamole_user_attribute
ON guacamole_user.user_id=guacamole_user_attribute.user_id
SET guacamole_user.disabled=1
WHERE ((valid_from < NOW() - INTERVAL 7 DAY) AND (guacamole_user_attribute.attribute_name='guac-totp-key-confirmed')) AND (guacamole_user_attribute.attribute_value='false');
Von: Alex Kaiser
Gesendet: Mittwoch, 20. November 2019 12:42
An: user@guacamole.apache.org
Betreff: Max activation time for TOTP authentication with LDAP+mysql
Is it possible to set a timeframe within the user has to activate his TOTP authentication on the first logon attempt?
For example 48hrs after the user was added to the mysql database. Otherwise the account would be disabled.
Kind Regards
Alex Kaiser
Re: Max activation time for TOTP authentication with LDAP+mysql
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Nov 20, 2019 at 6:42 AM Alex Kaiser <al...@peaknet.at> wrote:
> Is it possible to set a timeframe within the user has to activate his TOTP
> authentication on the first logon attempt?
>
> For example 48hrs after the user was added to the mysql database.
> Otherwise the account would be disabled.
>
>
>
There is no such feature in Guacamole today, no.
-Nick