You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Nick Couchman (Jira)" <ji...@apache.org> on 2021/02/25 14:54:00 UTC

[jira] [Closed] (GUACAMOLE-1301) LDAP auth against FreeIPA with OTP enabled throw invalid login, Tomcat logs shows successfully authenticated. Works fine for non-otp users.

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Couchman closed GUACAMOLE-1301.
------------------------------------
    Resolution: Duplicate

This isn't a bug, per se, but something that needs to be implemented in the LDAP extension - and there's already a JIRA issue for it: GUACAMOLE-1212

> LDAP auth against FreeIPA with OTP enabled throw invalid login, Tomcat logs shows successfully authenticated. Works fine for non-otp users.
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1301
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1301
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.3.0
>         Environment: Ubuntu 20.04 server
> Linux guacamole 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Mirek Malinowski
>            Priority: Major
>              Labels: freeipa, ldap, totp
>
> Hi,
> We are at the stage of deploying FreeIPA 2FA for all our users and services. Guacamole is in docker containers. During initial testing it turns out users with OTP enabled are unable to log in to the front-end, however running "docker shows logs guacamole" is showing:
> 14:12:11.440 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService - User "c111111" successfully authenticated from 10.0.0.6.
> When I in purpose type wrong password it's correctly showing failed, also when OTP for the same user is disabled, a user is able to log in.
> 14:11:43.730 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.0.0.6 for user "c111111" failed.
>  
> I wonder if it has anything to do with the latest changes to FreeIPA sssd implementation where they allow multiple authentication options and for 2FA they try to introduce two prompts for password and 2nd for OTP token.
> [https://github.com/neutrinolabs/xrdp/issues/676]
> There is a workaround to enable password and otp authentications in FreeIPA and surprisingly then I can log in using password only and then on hosts I can restrict ssh and rdp to password+otp only, however by doing it we also weaken our VPN security as then you can log in to VPN with password only as FreeIPA is our central LDAP store.
> Also as a test, I've downloaded Apache Directory Studio and authentication there is working fine, so maybe Guacamole after auth is doing some extra checks and that's where is failing and it would also explain why logs are showing successfully authenticated, don't know as I'm no Java expert.
> Just to be precise we use LDAP without extra changes in LDAP schema.
> My docker-setup is as follow:
> version: '3'
> services:
>  guacdb:
>  container_name: guacdb
>  image: mysql/mysql-server
>  restart: unless-stopped
>  volumes:
>  - '/data/mysql/var/lib/mysql:/var/lib/mysql'
>  environment:
>  MYSQL_ROOT_PASSWORD: <PWD>
>  MYSQL_DATABASE: 'guacamoledb'
>  MYSQL_USER: 'guacadmin'
>  MYSQL_PASSWORD: <PWD>
>  guacd:
>  image: guacamole/guacd
>  container_name: guacd
>  restart: unless-stopped
> guacamole:
>  image: guacamole/guacamole
>  container_name: guacamole
>  restart: unless-stopped
>  ports:
>  - 8080:8080
>  links:
>  - guacd
>  - guacdb
>  volumes:
>  - '/data/guacamole/etc/ssl/certs/lab-ipa:/etc/ssl/certs/lab-ipa'
>  command: sh -c "keytool -storepass changeit -importcert -noprompt -alias labipa -file /etc/ssl/certs/lab-ipa/lab-ipa.mydomain.lab.pam -keystore /usr/local/openjdk-8/jre/lib/security/cacerts && /opt/guacamole/bin/start.sh"
>  environment:
>  GUACD_HOSTNAME: guacd
>  MYSQL_HOSTNAME: guacdb
>  MYSQL_DATABASE: guacamoledb
>  MYSQL_USER: guacadmin
>  MYSQL_PASSWORD: <PWD>
>  LDAP_HOSTNAME: 'lab-ipa.mydomain.lab'
>  LDAP_PORT: 636
>  #LDAP_ENCRYPTION_METHOD: starttls
>  LDAP_ENCRYPTION_METHOD: ssl
>  LDAP_USER_BASE_DN: 'cn=users,cn=accounts,dc=mydomain,dc=lab'
>  LDAP_GROUP_BASE_DN: 'cn=groups,cn=accounts,dc=mydomain,dc=lab'
>  LDAP_SEARCH_BIND_DN: 'uid=guacadmin,cn=users,cn=accounts,dc=mydomain,dc=lab'
>  LDAP_SEARCH_BIND_PASSWORD: <PWD>
>  LDAP_USER_ATTRIBUTES: 'uid'
>  LDAP_USER_SEARCH_FILTER: '(memberof=cn=guacamole-users,cn=groups,cn=accounts,dc=mydomain,dc=lab)'



--
This message was sent by Atlassian Jira
(v8.3.4#803005)