Any way to enable Duo for all LDAP accounts?


#1

I’m new to Duo.
Does anyone know of a way to enable Duo for any OpenLDAP authentication session? I imagine this would need to be a password plugin for OpenLDAP; maybe something else?

We use LDAP across 70+ Linux hosts for all ssh sessions, as well as authenticating all of our web based applications (only one supports Duo natively).

What I want is to create a “duo” security group in LDAP and add users to it. Whenever a user initiates a login requiring an LDAP query, the LDAP process sees it needs to run /usr/sbin/login_duo as well as verify the user password via SASL or userPassword attribute. This would allow enabling Duo auth for every single piece of software we have – weather it supports duo or not, regardless of how PAM or ssh is setup.

I’ve written an OpenLDAP plugin to do this for WiKID (RADIUS) in the past but wondering if Duo has this problem already solved to save me the headache of re-tooling the plugin.

I’m re-tagging this with Duo Labs in hopes it will reach some of the ninjas there since it’s likely a crazy idea.

Thanks!


#2

While we don’t have an OpenLDAP plugin to do this available, You could install the Duo Authentication Proxy configured as an LDAP server and pointing to OpenLDAP for upstream authentication, then point your other applications there for LDAP authentication.


#3

Sounds intriguing! I’ll look into it.
Thanks