cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1565
Views
0
Helpful
1
Replies

Cannot make LDAP and DUO both authenticate

mikehalfogre
Level 1
Level 1

We have a configuration that currently makes use of DUO, and before we install DUO we ensure a working integration with LDAP for user logins.

Once we install DUO though, and follow the initial documents, we can get the auth requests from DUO … but the password can be any quickly typed keyboard mash and you still log in to the system.

I have tried a few alternate configurations of common-auth and sshd in /etc/pam.d , but none of them seem to allow me to auth with the password , and you then do not get a prompt from DUO

Can someone point me at the right documentation?

1 Reply 1

jsesser
Level 1
Level 1

Mike,

I’m using this successfully on CentOS 6 and 7 systems in password-auth-ac:

auth required pam_env.so
auth [default=1 success=ignore] pam_localuser.so
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth requisite pam_ldap.so
auth sufficient pam_duo.so
auth required pam_deny.so

This is the only pam change I had to make. Before coming up with this config, I did come up with several that didn’t require passwords at all! The changes to sshd_config follow the documentation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links