LDAP + force enrollment for MFA: 'from_ldap=false' still the best way with 1.6.*?

[cotman]

Hi,

We need to (one way/read-only) sync our LDAP users into defguard and ensure that they must go through enrollment in order that they setup Internal MFA for our Location that requires it.

Is the workaround here, listed for version 1.5., still the recommended approach to take with 1.6,.? Or, as this isn't present in the 1.6.* documentation, is there now a better way to do this in later versions of defguard?

Additionally, if a workaround is still required with 1.6.*, to achieve this flow, are there any plans to change this in upcoming versions of defguard that are likely to deliver soon?

Thanks!

[kchudy]

Hi @cotman,
Yes, this workaround is still recommended for 1.6. It also wasn't planned for the upcoming 2.0, but we will discuss the issue during our next planning session. I will let you know when we have it planned.

[cotman]

Thanks @kchudy ! We'd be really interested in hearing about any plans for 2.0 in this area.

I don't know if our model is unusual, but we use a standalone LDAP server for multiple services (e.g. for OpenVPN, where we'd like to switch to defguard). We're not in a position to custom provision internal users installing the defguard client, so ideally we just want a one-way LDAP sync of users to defguard with the ability to always push them through enrollment so that they're forced to setup MFA and have a working client at the end of the enrollment process. We're trialling defguard as a POC at the moment - using the "from_ldap=false" workaround does work, but it's a bit clunky in terms of the DB change required on the user and the oddity (for an LDAP user) of having to set an additional password as part of enrollment.

[kchudy]

@cotman We've created an issue based on this discussion. Please follow it for progress on the matter. Unfortunately, it won't be part of 2.0 as we want to release it ASAP and had to do a feature freeze at some point. For now, it's scheduled for 2.1.