On Fri, Aug 15, 2025 at 4:22 PM Nick Couchman <[email protected]> wrote:
> On Wed, Aug 6, 2025 at 3:11 AM Florian Segura < > [email protected]> wrote: > >> Hi, >> >> I have an issue on Guacamole built with Docker on version 1.6.0 with >> mariadb 10.11. >> Here is the scenario : >> >> 1) I have setup TOTP on my env variables >> 2) I have setup LDAP servers with mysql-auto-create on my instance >> 3) I have created local groupe named "NO-MFA" >> 4) I logon with ldap account, setup MFA for the first time etc >> 5) I added my ldap user to my local group >> 6) I set "disable totp" to NO-MFA group dans I added my ldap user to this >> local group. >> >> The thing is, the bypass MFA isn't working on this setup. It works when i >> check bypass mfa on user directly but not from the group. >> >> The relation seems to work because when I check "System Administrator" >> from the group with the ldap user member of, it works. >> >> > Interesting. I would expect that what you've done is the right way to go > about this, so it sounds like there's a bug in there that either isn't > factoring in group membership when checking MFA status, or isn't correctly > associating LDAP users to local groups at the time that it does that check. > I'll try to have a go at reproducing it at some point, soon. > > I am able to reproduce this as you've described, above, and it is definitely not behaving as intended. I've created the following Jira issue for this: https://issues.apache.org/jira/browse/GUACAMOLE-2141 As a work-around, you can do the following: * Make sure the LDAP module is set up to search for groups. * Create the NO-MFA group in LDAP * Make sure the matching group exists in the JDBC module. * Disable TOTP for that group. Basically, as long as the group membership is loaded by the LDAP module, it'll be properly applied and TOTP will be disabled. But, this is just a work-around and should not be required - we should fix the bug. -Nick >
