[
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17231760#comment-17231760
]
Nick Couchman commented on GUACAMOLE-1212:
------------------------------------------
[~nayruden]: Ah, okay, sorry about that - sounds like we may need some
additional hooks in the LDAP module to handle the 2FA request, similar to how
we do things with the RADIUS module. I've never worked with an LDAP server that
supported 2FA directly, so I may have to try to spin up FreeIPA and see what
happens.
> Cannot authenticate with OTP-enabled LDAP user
> ----------------------------------------------
>
> Key: GUACAMOLE-1212
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1212
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 1.2.0
> Reporter: Brett Smith
> Priority: Major
>
> I'm using FreeIPA in my environment. I have guacamole-auth-ldap enabled and
> configured and it works fine for users who do not have 2FA enabled. For our
> users with 2FA enabled, we are using TOTP tokens provided by FreeIPA.
> When investigating a tcpdump between guacamole and the LDAP server, I can see
> that guacamole passes the username and password to the LDAP server twice.
> This works fine for a traditional username and password, but for a
> 2FA-enabled user, the second authentication attempt returns failure since the
> TOTP is one-time use. 2FA login attempts result in the guacamole logs
> outputting "successfully authenticated" while the web UI shows "Invalid
> Login" in a red banner.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
