Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1212

Support 2FA Directly in LDAP Extension

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • guacamole-auth-ldap
    • None

    Description

      I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and configured and it works fine for users who do not have 2FA enabled. For our users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.

      When investigating a tcpdump between guacamole and the LDAP server, I can see that guacamole passes the username and password to the LDAP server twice. This works fine for a traditional username and password, but for a 2FA-enabled user, the second authentication attempt returns failure since the TOTP is one-time use. 2FA login attempts result in the guacamole logs outputting "successfully authenticated" while the web UI shows "Invalid Login" in a red banner.

      Attachments

        1. user-with-otp-trace-level.log
          203 kB
          Mirek Malinowski

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. GUACAMOLE-1301 LDAP auth against FreeIPA with OTP enabled throw invalid login, Tomcat logs shows successfully authenticated. Works fine for non-otp users.

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. GUACAMOLE-1440 two factor doesn't work with LDAP

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              nayruden Brett Smith
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: