Thanks for the reply.  
I'm using OTP for things like vpn and remote access only.  In my configuration, privacyidea is configured to uses ldap as its source of truth, and then handles the OTP.  Radius is used by the application (guac and vpn) against privacy idea to authenticate.  Dropping the first/last N characters does in fact feel hacky, but I'm unsure how to handle my use case.  There may be a better way, but "you don't know, what you don't know"!  I think I saw a post or two that stated Nick uses linotp.  Perhaps he'll have some insight too.

On Sat, Dec 15, 2018 at 2:18 PM Mike Jumper <mjumper@apache.org> wrote:
On Sat, Dec 15, 2018, 12:05 Not Speedy <notspeedy01@gmail.com wrote:
I noticed there is a way to pass the username/password through to NLA and RDP connections to create a SSO like experience. It looks like I could use the variables GUAC_USERNAME and  GUAC_PASSWORD. ( or something like that).

I'm using PrivacyIdea (fork of linotp) to handle my OTP requirements backed by ldap.  So to signing, Id use username and password+OTP. Looking something like this.  'john.doe' 'secret123456'

This would get passed to NLA/RDP as "secret123456", which will not work.  Most radius/otp solutions will allow you to add the OTP at the front or end of the PIN (password).  Is there a way to pass this through while dropping the OTP? Perhaps creating a configuration option that could drop the "front or end by # character"?

If your RDP server uses the same LDAP for auth, wouldn't dropping the OTP still not work since it would require its own OTP added to the password as well?

If LDAP-driven OTP is common, an option for LDAP to split things up may be reasonable, but I'm uncertain. An option to drop the first/last N characters feels hacky.

- Mike