Hi,
After 2FA sssd split into two prompts the LDAP client from Guacamole is failing. I've
also opened a ticket with the Guacamole team but the response from LDAP is not indicating
much is just an Invalid Credentials. It could be down to the way they do authentication as
they do authentication once to check credentials and this part is working correctly but
then they use TokenInjectingConnection and try to authenticate again to query Guacamole
related properties if LDAP has been used to store Guacamole data, that part is failing and
the whole process ends up with Invalid Login. When I switch back to password-only or
password and top then it's working as expected. I had a similar issue with RDP and the
solution was to change sssd.conf to a single prompt, however sssd.conf is for pam services
not LDAP clients. Is there something I have to tweak in FreeIPA to get it to work with
LDAP clients so the password and top is sent as a single password string, the same way you
do it with RDP? Also, o
ther LDAP clients like Apache Directory or OPNSense PHP Ldap clients are working fine
sending pwd+otp as a single string so I think it's down to the
TokenInjectingConnection, maybe FreeIPA won't allow you to provided OTP twice in the
same session and therefore sending InvalidCredentials.
The ticket I've open with the Guacamole team:
https://issues.apache.org/jira/browse/GUACAMOLE-1212?page=com.atlassian.j...