guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zer0Cool <>
Subject Questions About Using TOTP with LDAP
Date Thu, 17 Jan 2019 22:33:38 GMT
As per the documentation at


* Another extension must be installed which supports storage of arbitrary
data from other extensions. Currently the only extensions provided with
Guacamole which support this kind of storage are the database authentication

* Within whichever extension provides the storage described above, users
requiring TOTP must be granted permission to update their own accounts (to
update their passwords, etc.). This privilege is managed within the
administrative web interface with a checkbox labeled "change own password".
If a user lacks this permission, the TOTP extension will not be able to
generate and store the user's TOTP key during enrollment, and TOTP will be
disabled for that user."

OS: CentOS/RHEL 7.x
Guac: 1.0.0

My setup is typically mariadb and the LDAP extension. I have the parameters
in for LDAP and have LDAP associated with the mariadb

In this fashion, users are logging into Guacamole with their AD credentials.
Outside of Guacamole, from Windows using AD, most users can change their own
password when it expires, I am not 100% sure if they can do so at any time
(I will double check this).

However, I am confused as to if my setup meets the prerequisites,
specifically in regards to being able to change their own password. Even if
I checked this box for every user in Guac, I am not sure how this works with
LDAP. I am going to go out on a limb and assume that Guac cannot alter AD
credentials even with this box checked?

On the other hand would checking this box (change own password) create a
situation in which users can set their password for Guac to something other
than their password for AD? In other words the new password is stored in the
database and authentication is against that password instead of the AD

Basically I am trying to find information about how LDAP associated with
mariadb database can co-exist with the TOTP extension for 2FA or if it is
not currently possible. Thanks

Sent from:

View raw message