On la, 27 helmi 2021, mir mal via FreeIPA-users wrote:
Hi,
After 2FA sssd split into two prompts the LDAP client from Guacamole is
failing. I've also opened a ticket with the Guacamole team but the
response from LDAP is not indicating much is just an Invalid
Credentials. It could be down to the way they do authentication as they
do authentication once to check credentials and this part is working
correctly but then they use TokenInjectingConnection and try to
authenticate again to query Guacamole related properties if LDAP has
been used to store Guacamole data, that part is failing and the whole
process ends up with Invalid Login. When I switch back to password-only
or password and top then it's working as expected. I had a similar
issue with RDP and the solution was to change sssd.conf to a single
prompt, however sssd.conf is for pam services not LDAP clients. Is
there something I have to tweak in FreeIPA to get it to work with LDAP
clients so the password and top is sent as a single password string,
the same way you do it with RDP? Also, o ther LDAP clients like Apache
Directory or OPNSense PHP Ldap clients are working fine sending pwd+otp
as a single string so I think it's down to the
TokenInjectingConnection, maybe FreeIPA won't allow you to provided OTP
twice in the same session and therefore sending InvalidCredentials.
First, you are mixing things up. Guacamole is an LDAP client, talking
directly to LDAP server. You don't need to involve SSSD here at all,
totally irrelevant and unrelated.
LDAP bind with OTP is done by providing password and OTP code as a
single string. If your LDAP client attempts to reuse the same
credentials (e.g. password+OTP code) twice, that's wrong and should
never be done. After all, it is one time password, should not be cached
and re-authenticated.
Guacamole's LDAP implementation seems to assume that once it gets some
credentials to authenticate to LDAP, it will be able to re-establish new
LDAP connection and re-authenticate with these credentials over and over
again. This is wrong for OTP authentication, you cannot do that,
regardless of the protocol used to bear the authentication request.
So I would suggest you to explain to Guacamole developers that they need
to support a situation when credentials need to be re-requested from a
user every time this authentication has to happen instead of caching
them. I also would suggest to having this as a configuration option to
disable credential caching because otherwise an invalid LDAP bind would
always increase user failed authentication count and may lock user out
faster than expected.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland