You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2021/04/24 19:49:00 UTC

[jira] [Commented] (GUACAMOLE-1333) Force second auth

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331310#comment-17331310 ] 

Mike Jumper commented on GUACAMOLE-1333:
----------------------------------------

{quote}
Is it possible to force a second auth after LDAP (returning GuacamoleInsufficientCredentialsException) so that we can ask for OTP after LDAP.
{quote}

No, that would be too much of a hack. It could make sense to allow LDAP to be configured to supply only data, or to allow the overall set of sources of identity to be limited. For example, something like:

{code:none}
identity-providers: radius, mysql
{code}

{quote}
With username+otp or username+pass+otp (radius), I have an empty profile because no groups are returned by radius.
{quote}

If the only issue here is that you need access to both groups and RADIUS, I believe this is a duplicate of GUACAMOLE-792 (group support for RADIUS).

> Force second auth
> -----------------
>
>                 Key: GUACAMOLE-1333
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1333
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap, guacamole-auth-radius
>    Affects Versions: 1.3.0
>            Reporter: Nicolas Baudrand
>            Priority: Minor
>
> Hi !
> We're using Guacamole Auth ldap and then map returned groups with existing mysql groups to assign profiles.
> Now, we want to ask for TOTP to our central server that is reachable by radius.
> So, I have enabled auth-jdbc, auth-ldap and auth-radius
> With username+pass (ldap), I access to my AD group profile.
> With username+otp or username+pass+otp (radius), I have an empty profile because no groups are returned by radius.
> Is it possible to force a second auth after LDAP (returning GuacamoleInsufficientCredentialsException) so that we can ask for OTP after LDAP.
> Guacamole TOTP is great but not centralized and I don't want to ask my users to register a new Token for each application.
>  
> Thanks a lot for this great product
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)