You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2021/04/24 19:49:00 UTC
[jira] [Commented] (GUACAMOLE-1333) Force second auth
[ https://issues.apache.org/jira/browse/GUACAMOLE-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331310#comment-17331310 ]
Mike Jumper commented on GUACAMOLE-1333:
----------------------------------------
{quote}
Is it possible to force a second auth after LDAP (returning GuacamoleInsufficientCredentialsException) so that we can ask for OTP after LDAP.
{quote}
No, that would be too much of a hack. It could make sense to allow LDAP to be configured to supply only data, or to allow the overall set of sources of identity to be limited. For example, something like:
{code:none}
identity-providers: radius, mysql
{code}
{quote}
With username+otp or username+pass+otp (radius), I have an empty profile because no groups are returned by radius.
{quote}
If the only issue here is that you need access to both groups and RADIUS, I believe this is a duplicate of GUACAMOLE-792 (group support for RADIUS).
> Force second auth
> -----------------
>
> Key: GUACAMOLE-1333
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1333
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap, guacamole-auth-radius
> Affects Versions: 1.3.0
> Reporter: Nicolas Baudrand
> Priority: Minor
>
> Hi !
> We're using Guacamole Auth ldap and then map returned groups with existing mysql groups to assign profiles.
> Now, we want to ask for TOTP to our central server that is reachable by radius.
> So, I have enabled auth-jdbc, auth-ldap and auth-radius
> With username+pass (ldap), I access to my AD group profile.
> With username+otp or username+pass+otp (radius), I have an empty profile because no groups are returned by radius.
> Is it possible to force a second auth after LDAP (returning GuacamoleInsufficientCredentialsException) so that we can ask for OTP after LDAP.
> Guacamole TOTP is great but not centralized and I don't want to ask my users to register a new Token for each application.
>
> Thanks a lot for this great product
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)