Hi there again! I may have found a workaround, but I am not sure if it has any side effects.
I have changed the collation of the name column in the guacamole_entity table to be case-insensitive, so that logging in with different usernames will result in the same entry. Maybe someone can check this solution and give me some feedback. CREATE COLLATION public.case_insensitive (provider = icu, locale = 'und-u-ks-level2', deterministic = false); ALTER TABLE guacamole_entity ALTER COLUMN name TYPE varying(128) COLLATE "case_insensitive"; Regards, Peter At 2025-05-06 12:56, Peter Kronfuss wrote: > Hi there! > > We are using Guacamole 1.5.5 and I have also tested it on 1.6.0 with the same > result. > > We are using the guacamole-auth-jdbc-postgresql-1.6.0.jar extension, as well > as guacamole-auth-ldap-1.6.0.jar and guacamole-auth-totp-1.6.0.jar to get > TOTP 2 factor authentication. > > In guacamole.properties we have enabled automatic account creation. > > postgresql-auto-create-accounts: true > > Users are authenticated against LDAP, which works fine, but the username is > written to the database as it was entered in the username input field on the > login screen. > > So if someone logs in as user abc who is authenticated against LDAP, the user > will get the initial TOTP QRCode to scan with their phone, so 2-factor > authentication will be set up for that user. > > But if the same user tries to connect with user aBc, they will be correctly > authenticated against LDAP, but will see an initial TOTP QRCode again and can > set up a new, different second factor. So basically the user is able to > bypass the 2-factor authentication. I can see that there are actually two > users abc, aBc in the database. > > Can we somehow force the database authentication to be case-insensitive? > > Regards, > Peter
