Hi, After 2FA sssd split into two prompts the LDAP client from Guacamole is failing. I've also opened a ticket with the Guacamole team but the response from LDAP is not indicating much is just an Invalid Credentials. It could be down to the way they do authentication as they do authentication once to check credentials and this part is working correctly but then they use TokenInjectingConnection and try to authenticate again to query Guacamole related properties if LDAP has been used to store Guacamole data, that part is failing and the whole process ends up with Invalid Login. When I switch back to password-only or password and top then it's working as expected. I had a similar issue with RDP and the solution was to change sssd.conf to a single prompt, however sssd.conf is for pam services not LDAP clients. Is there something I have to tweak in FreeIPA to get it to work with LDAP clients so the password and top is sent as a single password string, the same way you do it with RDP? Also, o ther LDAP clients like Apache Directory or OPNSense PHP Ldap clients are working fine sending pwd+otp as a single string so I think it's down to the TokenInjectingConnection, maybe FreeIPA won't allow you to provided OTP twice in the same session and therefore sending InvalidCredentials.
The ticket I've open with the Guacamole team: https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17291290#comment-17291290 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
