On la, 27 helmi 2021, mir mal via FreeIPA-users wrote:
Hi, After 2FA sssd split into two prompts the LDAP client from Guacamole is failing. I've also opened a ticket with the Guacamole team but the response from LDAP is not indicating much is just an Invalid Credentials. It could be down to the way they do authentication as they do authentication once to check credentials and this part is working correctly but then they use TokenInjectingConnection and try to authenticate again to query Guacamole related properties if LDAP has been used to store Guacamole data, that part is failing and the whole process ends up with Invalid Login. When I switch back to password-only or password and top then it's working as expected. I had a similar issue with RDP and the solution was to change sssd.conf to a single prompt, however sssd.conf is for pam services not LDAP clients. Is there something I have to tweak in FreeIPA to get it to work with LDAP clients so the password and top is sent as a single password string, the same way you do it with RDP? Also, o ther LDAP clients like Apache Directory or OPNSense PHP Ldap clients are working fine sending pwd+otp as a single string so I think it's down to the TokenInjectingConnection, maybe FreeIPA won't allow you to provided OTP twice in the same session and therefore sending InvalidCredentials.
First, you are mixing things up. Guacamole is an LDAP client, talking directly to LDAP server. You don't need to involve SSSD here at all, totally irrelevant and unrelated. LDAP bind with OTP is done by providing password and OTP code as a single string. If your LDAP client attempts to reuse the same credentials (e.g. password+OTP code) twice, that's wrong and should never be done. After all, it is one time password, should not be cached and re-authenticated. Guacamole's LDAP implementation seems to assume that once it gets some credentials to authenticate to LDAP, it will be able to re-establish new LDAP connection and re-authenticate with these credentials over and over again. This is wrong for OTP authentication, you cannot do that, regardless of the protocol used to bear the authentication request. So I would suggest you to explain to Guacamole developers that they need to support a situation when credentials need to be re-requested from a user every time this authentication has to happen instead of caching them. I also would suggest to having this as a configuration option to disable credential caching because otherwise an invalid LDAP bind would always increase user failed authentication count and may lock user out faster than expected. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
