As per the documentation at https://guacamole.apache.org/doc/gug/totp-auth.html:
"Prerequisites ... * Another extension must be installed which supports storage of arbitrary data from other extensions. Currently the only extensions provided with Guacamole which support this kind of storage are the database authentication extensions. * Within whichever extension provides the storage described above, users requiring TOTP must be granted permission to update their own accounts (to update their passwords, etc.). This privilege is managed within the administrative web interface with a checkbox labeled "change own password". If a user lacks this permission, the TOTP extension will not be able to generate and store the user's TOTP key during enrollment, and TOTP will be disabled for that user." OS: CentOS/RHEL 7.x Guac: 1.0.0 My setup is typically mariadb and the LDAP extension. I have the parameters in guacamole.properties for LDAP and have LDAP associated with the mariadb database. In this fashion, users are logging into Guacamole with their AD credentials. Outside of Guacamole, from Windows using AD, most users can change their own password when it expires, I am not 100% sure if they can do so at any time (I will double check this). However, I am confused as to if my setup meets the prerequisites, specifically in regards to being able to change their own password. Even if I checked this box for every user in Guac, I am not sure how this works with LDAP. I am going to go out on a limb and assume that Guac cannot alter AD credentials even with this box checked? On the other hand would checking this box (change own password) create a situation in which users can set their password for Guac to something other than their password for AD? In other words the new password is stored in the database and authentication is against that password instead of the AD password? Basically I am trying to find information about how LDAP associated with mariadb database can co-exist with the TOTP extension for 2FA or if it is not currently possible. Thanks -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
