We are using duo_unix-1.9.19-0.x86_64.rpm together with Centrify authentication on Red Hat Linux 6.7.
You can see we are doing Centrify authentication first, then DUO authentication:
auth required pam_env.so
auth [success=1 default=ignore] pam_centrifydc.so
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
Now we encountered one problem.
We have some special users whose unixname mapped in Centrify is different from their Active Directory canonical name (samAccountName).
Those special users can't pass through DUO authentication with either name, because both will be converted as their unixname and sent to Duo for verification. Since they registered their AD account on Duo, both will fail.
For example, for user "Binello Sev":
dn:CN=Binello\, Severino,OU=CAM - Users,OU=CAM,DC=bnl,DC=gov
We tried both:
Neither is working, because both will be converted as "binello" and sent to Duo for verification. Since he registered his Active Directory account (sev) on Duo, both will fail.
We are wondering if there is a configuration parameter than can be provided so that the DUO module will forward the samAccountName when authenticating to the DUO server?