Hi there! We are using Guacamole 1.5.5 and I have also tested it on 1.6.0 with the same result.
We are using the guacamole-auth-jdbc-postgresql-1.6.0.jar extension, as well as guacamole-auth-ldap-1.6.0.jar and guacamole-auth-totp-1.6.0.jar to get TOTP 2 factor authentication. In guacamole.properties we have enabled automatic account creation. postgresql-auto-create-accounts: true Users are authenticated against LDAP, which works fine, but the username is written to the database as it was entered in the username input field on the login screen. So if someone logs in as user abc who is authenticated against LDAP, the user will get the initial TOTP QRCode to scan with their phone, so 2-factor authentication will be set up for that user. But if the same user tries to connect with user aBc, they will be correctly authenticated against LDAP, but will see an initial TOTP QRCode again and can set up a new, different second factor. So basically the user is able to bypass the 2-factor authentication. I can see that there are actually two users abc, aBc in the database. Can we somehow force the database authentication to be case-insensitive? Regards, Peter
