Cannot make LDAP and DUO both authenticate


#1

We have a configuration that currently makes use of DUO, and before we install DUO we ensure a working integration with LDAP for user logins.

Once we install DUO though, and follow the initial documents, we can get the auth requests from DUO … but the password can be any quickly typed keyboard mash and you still log in to the system.

I have tried a few alternate configurations of common-auth and sshd in /etc/pam.d , but none of them seem to allow me to auth with the password , and you then do not get a prompt from DUO

Can someone point me at the right documentation?


#2

Mike,

I’m using this successfully on CentOS 6 and 7 systems in password-auth-ac:

auth required pam_env.so
auth [default=1 success=ignore] pam_localuser.so
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth requisite pam_ldap.so
auth sufficient pam_duo.so
auth required pam_deny.so

This is the only pam change I had to make. Before coming up with this config, I did come up with several that didn’t require passwords at all! The changes to sshd_config follow the documentation.