You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Roberto Corica (Jira)" <ji...@apache.org> on 2021/03/04 16:34:00 UTC

[jira] [Comment Edited] (GUACAMOLE-1296) Add support for LDAP/AD password expiration and reset

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17295392#comment-17295392 ] 

Roberto Corica edited comment on GUACAMOLE-1296 at 3/4/21, 4:33 PM:
--------------------------------------------------------------------

+1 we are having the same problem

It would be great if the guacamole ldap extension could manage this Windows configuration and related LDAP response, and allow access to the server even when the option "User must change password on next login" ist set

Our configuration:  Guacamole 1.2 configured with Windows AD LDAP + DB Mysql

 

With the option "User must change password on next login" set on the Windows account it is not possible to log in via guacamole.

Your workaround actually works but creates another problem. The standard password will continue to be valid and usable to access guacamole.

 

To reproduce the case:

-We configure the user John in Windows AD with the password 123 and set the option "User must change password on next login"

-Guacamole becomes aware of the user through the ldap binding but does not allow the login because the AD returns code 773 as you said.

-Using your workaround:  we log in to guacamole with a domain administrator and configure the password of the user John equal to that of Windows "123".
 This password for the user John is saved on the mysql DB.

After that, the user John can actually log in through guacamole with the password 123, afterwards he will continue the rdp login on the windows server where the password change will be requested. it's fine, thanks! 

The Problem : The password from mysql DB will obviously not be updated and still usable.

After the password change, the user John will be able to log in to Guacamole using both the new password and the standard password "123" which then produces a security problem

Best Regards

Roberto Corica

 


was (Author: robertoc):
+1 we are having the same problem

It would be great if the guacamole ldap extension could manage this Windows configuration and related LDAP response, and allow access to the server even when the option "User must change password on next login" ist set 

Our configuration:  Guacamole 1.2 configured with Windows AD LDAP + DB Mysql 

 

With the option "User must change password on next login" set on the Windows account it is not possible to log in via guacamole. 

Your workaround actually works but creates another problem. The standard password will continue to be valid and usable to access guacamole.

 

 To reproduce the case: 

-We configure the user John in Windows AD with the password 123 and set the option "User must change password on next login" 

-Guacamole becomes aware of the user through the ldap binding but does not allow the login because the AD returns code 773 as you said.


-Using your workaround:  we log in to guacamole with a domain administrator and configure the password of the user John equal to that of Windows "123".
 This password for the user John is saved on the mysql DB. 

After that, the user John can actually log in through guacamole with the password 123, afterwards he will continue the rdp login on the windows server where the password change will be requested. it's fine, thanks! 


The Probelm : The password from mysql DB will obviously not be updated and still usable. 

 After the password change, the user John will be able to log in to Guacamole using both the new password and the standard password "123" which then produces a security problem 



Best Regards

Roberto Corica

 

> Add support for LDAP/AD password expiration and reset
> -----------------------------------------------------
>
>                 Key: GUACAMOLE-1296
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1296
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.3.0
>            Reporter: Gary V
>            Priority: Minor
>
> Guacamole login fails when a user is required to set a new AD password after first login.
> When a user logs in, AD returns code 773, which implies the authorization is correct but a new password must be set immediately in the remote session.
> Guacamole login fails.
>  
> Hint from catalina.out:
> {{Message ID : 1}}
>  \{{ BindResponse}}
>  \{{ Ldap Result}}
>  \{{ Result code : (INVALID_CREDENTIALS) invalidCredentials}}
>  \{{ Matched Dn : ''}}
>  \{{ Diagnostic message : '80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 773, v4563^@'}}
>  
> Edit some hours later:
> I was able to workaround the problem by setting the password of the users account to the same default password as set in AD. Then the login succeeded, Windows forced the user to change password, and the user was then able to login with the new username/password combo.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)