guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: struggling with totp
Date Mon, 18 Mar 2019 22:40:47 GMT
On Mon, Mar 18, 2019 at 9:56 AM mrbabbage <mrbabbage@visualplanet.org>
wrote:

> Hello,
>
> I have a mysql database and some 1.0.0 guacamole and guacd containers.  up
> until now I have just been using plain ldap auth but would like to start
> using totp as well to provide additional protection.
>
> I have tried running this:
>
> sudo docker run --name dockguacamole --link dockguacd:guacd --log-opt
> max-size=50m --restart=always -e LDAP_HOSTNAME=myldapserver -e
> LDAP_PORT=3268 -e LDAP_USER_BASE_DN='OU=MYUsers,DC=sub,DC=domain,DC=com' -e
> LDAP_USERNAME_ATTRIBUTE=sAMAccountName -e 'LDAP_SEARCH_BIND_DN=CN=guac
> service2,OU=Services Accounts,OU=Resources,DC=sub,DC=domain,DC=com' -e
> LDAP_SEARCH_BIND_PASSWORD=securepass2 -e MYSQL_HOSTNAME=172.17.0.1 -e
> MYSQL_DATABASE=guacamole_db -e MYSQL_USER=root -e
> MYSQL_PASSWORD=securepass1
> -e "EXTENSIONS=auth-ldap,auth-totp" -d -p 8080:8080 guacamole/guacamole
>

1) There is no "EXTENSIONS" environment variable. Setting this will have no
effect. It has no meaning.

http://guacamole.apache.org/doc/gug/guacamole-docker.html

With this in mind, the only authentication methods you've enabled are LDAP
and MySQL. Nothing is enabling TOTP here.

2) The Docker image released with 1.0.0 does not contain support for TOTP.
You would need to manually add the extension as you would for a third-party
extension (or any other extension not included with the image):

http://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-guacamole-home

There is an issue open in JIRA requesting that this support be added:

https://issues.apache.org/jira/browse/GUACAMOLE-753

3) Beware that LDAP support within Guacamole is read-only. While you do
have MySQL set up and Guacamole will write the TOTP keys, etc. to using
that upon enrollment, the user accounts for the users that will be using
TOTP will need to already exist within MySQL. If it is impossible for a
user to enroll in TOTP due to lack of permissions / having a read-only
account, TOTP will not be enabled for that user. There is some work in
progress to automatically create user accounts:

https://issues.apache.org/jira/browse/GUACAMOLE-708

- Mike

Mime
View raw message