LDAP auth against FreeIPA with OTP enabled throw invalid login, Tomcat logs shows successfully authenticated. Works fine for non-otp users.

Hi,

We are at the stage of deploying FreeIPA 2FA for all our users and services. Guacamole is in docker containers. During initial testing it turns out users with OTP enabled are unable to log in to the front-end, however running "docker shows logs guacamole" is showing:

14:12:11.440 [http-nio-8080-exec-10] INFO o.a.g.r.auth.AuthenticationService - User "c111111" successfully authenticated from 10.0.0.6.

When I in purpose type wrong password it's correctly showing failed, also when OTP for the same user is disabled, a user is able to log in.

14:11:43.730 [http-nio-8080-exec-1] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.0.0.6 for user "c111111" failed.

I wonder if it has anything to do with the latest changes to FreeIPA sssd implementation where they allow multiple authentication options and for 2FA they try to introduce two prompts for password and 2nd for OTP token.

https://github.com/neutrinolabs/xrdp/issues/676

There is a workaround to enable password and otp authentications in FreeIPA and surprisingly then I can log in using password only and then on hosts I can restrict ssh and rdp to password+otp only, however by doing it we also weaken our VPN security as then you can log in to VPN with password only as FreeIPA is our central LDAP store.

Also as a test, I've downloaded Apache Directory Studio and authentication there is working fine, so maybe Guacamole after auth is doing some extra checks and that's where is failing and it would also explain why logs are showing successfully authenticated, don't know as I'm no Java expert.

Just to be precise we use LDAP without extra changes in LDAP schema.

My docker-setup is as follow:

version: '3'
services:
guacdb:
container_name: guacdb
image: mysql/mysql-server
restart: unless-stopped
volumes:

• '/data/mysql/var/lib/mysql:/var/lib/mysql'
  environment:
  MYSQL_ROOT_PASSWORD: <PWD>
  MYSQL_DATABASE: 'guacamoledb'
  MYSQL_USER: 'guacadmin'
  MYSQL_PASSWORD: <PWD>
  guacd:
  image: guacamole/guacd
  container_name: guacd
  restart: unless-stopped

guacamole:
image: guacamole/guacamole
container_name: guacamole
restart: unless-stopped
ports:

• 8080:8080
  links:
• guacd
• guacdb
  volumes:
• '/data/guacamole/etc/ssl/certs/lab-ipa:/etc/ssl/certs/lab-ipa'
  command: sh -c "keytool -storepass changeit -importcert -noprompt -alias labipa -file /etc/ssl/certs/lab-ipa/lab-ipa.mydomain.lab.pam -keystore /usr/local/openjdk-8/jre/lib/security/cacerts && /opt/guacamole/bin/start.sh"
  environment:
  GUACD_HOSTNAME: guacd
  MYSQL_HOSTNAME: guacdb
  MYSQL_DATABASE: guacamoledb
  MYSQL_USER: guacadmin
  MYSQL_PASSWORD: <PWD>
  LDAP_HOSTNAME: 'lab-ipa.mydomain.lab'
  LDAP_PORT: 636
  #LDAP_ENCRYPTION_METHOD: starttls
  LDAP_ENCRYPTION_METHOD: ssl
  LDAP_USER_BASE_DN: 'cn=users,cn=accounts,dc=mydomain,dc=lab'
  LDAP_GROUP_BASE_DN: 'cn=groups,cn=accounts,dc=mydomain,dc=lab'
  LDAP_SEARCH_BIND_DN: 'uid=guacadmin,cn=users,cn=accounts,dc=mydomain,dc=lab'
  LDAP_SEARCH_BIND_PASSWORD: <PWD>
  LDAP_USER_ATTRIBUTES: 'uid'
  LDAP_USER_SEARCH_FILTER: '(memberof=cn=guacamole-users,cn=groups,cn=accounts,dc=mydomain,dc=lab)'