Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1301

LDAP auth against FreeIPA with OTP enabled throw invalid login, Tomcat logs shows successfully authenticated. Works fine for non-otp users.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 1.3.0
    • Fix Version/s: None
    • Component/s: guacamole-auth-ldap
    • Labels:
    • Environment:
      Ubuntu 20.04 server
      Linux guacamole 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

      Description

      Hi,

      We are at the stage of deploying FreeIPA 2FA for all our users and services. Guacamole is in docker containers. During initial testing it turns out users with OTP enabled are unable to log in to the front-end, however running "docker shows logs guacamole" is showing:

      14:12:11.440 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService - User "c111111" successfully authenticated from 10.0.0.6.

      When I in purpose type wrong password it's correctly showing failed, also when OTP for the same user is disabled, a user is able to log in.

      14:11:43.730 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.0.0.6 for user "c111111" failed.

       

      I wonder if it has anything to do with the latest changes to FreeIPA sssd implementation where they allow multiple authentication options and for 2FA they try to introduce two prompts for password and 2nd for OTP token.

      https://github.com/neutrinolabs/xrdp/issues/676

      There is a workaround to enable password and otp authentications in FreeIPA and surprisingly then I can log in using password only and then on hosts I can restrict ssh and rdp to password+otp only, however by doing it we also weaken our VPN security as then you can log in to VPN with password only as FreeIPA is our central LDAP store.

      Also as a test, I've downloaded Apache Directory Studio and authentication there is working fine, so maybe Guacamole after auth is doing some extra checks and that's where is failing and it would also explain why logs are showing successfully authenticated, don't know as I'm no Java expert.

      Just to be precise we use LDAP without extra changes in LDAP schema.

      My docker-setup is as follow:

      version: '3'
      services:
      guacdb:
      container_name: guacdb
      image: mysql/mysql-server
      restart: unless-stopped
      volumes:

      • '/data/mysql/var/lib/mysql:/var/lib/mysql'
        environment:
        MYSQL_ROOT_PASSWORD: <PWD>
        MYSQL_DATABASE: 'guacamoledb'
        MYSQL_USER: 'guacadmin'
        MYSQL_PASSWORD: <PWD>
        guacd:
        image: guacamole/guacd
        container_name: guacd
        restart: unless-stopped

      guacamole:
      image: guacamole/guacamole
      container_name: guacamole
      restart: unless-stopped
      ports:

      • 8080:8080
        links:
      • guacd
      • guacdb
        volumes:
      • '/data/guacamole/etc/ssl/certs/lab-ipa:/etc/ssl/certs/lab-ipa'
        command: sh -c "keytool -storepass changeit -importcert -noprompt -alias labipa -file /etc/ssl/certs/lab-ipa/lab-ipa.mydomain.lab.pam -keystore /usr/local/openjdk-8/jre/lib/security/cacerts && /opt/guacamole/bin/start.sh"
        environment:
        GUACD_HOSTNAME: guacd
        MYSQL_HOSTNAME: guacdb
        MYSQL_DATABASE: guacamoledb
        MYSQL_USER: guacadmin
        MYSQL_PASSWORD: <PWD>
        LDAP_HOSTNAME: 'lab-ipa.mydomain.lab'
        LDAP_PORT: 636
        #LDAP_ENCRYPTION_METHOD: starttls
        LDAP_ENCRYPTION_METHOD: ssl
        LDAP_USER_BASE_DN: 'cn=users,cn=accounts,dc=mydomain,dc=lab'
        LDAP_GROUP_BASE_DN: 'cn=groups,cn=accounts,dc=mydomain,dc=lab'
        LDAP_SEARCH_BIND_DN: 'uid=guacadmin,cn=users,cn=accounts,dc=mydomain,dc=lab'
        LDAP_SEARCH_BIND_PASSWORD: <PWD>
        LDAP_USER_ATTRIBUTES: 'uid'
        LDAP_USER_SEARCH_FILTER: '(memberof=cn=guacamole-users,cn=groups,cn=accounts,dc=mydomain,dc=lab)'

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                mirek186 Mirek Malinowski
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: