Duo - samAccountName?


#1

Hi,

We are using duo_unix-1.9.19-0.x86_64.rpm together with Centrify authentication on Red Hat Linux 6.7.

You can see we are doing Centrify authentication first, then DUO authentication:

more /etc/pam.d/sshd

#%PAM-1.0
auth required pam_env.so
auth [success=1 default=ignore] pam_centrifydc.so
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

Now we encountered one problem.

We have some special users whose unixname mapped in Centrify is different from their Active Directory canonical name (samAccountName).
Those special users can’t pass through DUO authentication with either name, because both will be converted as their unixname and sent to Duo for verification. Since they registered their AD account on Duo, both will fail.

For example, for user “Binello Sev”:

unixname:binello
uid:4107
gid:23
dn:CN=Binello\, Severino,OU=CAM - Users,OU=CAM,DC=bnl,DC=gov
samAccountName:sev

We tried both:
ssh sev@mytestmachine
ssh binello@mytestmachine

Neither is working, because both will be converted as “binello” and sent to Duo for verification. Since he registered his Active Directory account (sev) on Duo, both will fail.

We are wondering if there is a configuration parameter than can be provided so that the DUO module will forward the samAccountName when authenticating to the DUO server?

Thanks,
Zaiwen


#2

Hi there Zaiwen,

While there’s not an officially supported configuration for this, our Support Team will be able to do some in-depth troubleshooting with you and may have a workaround. I recommend you contact them when you have a chance: https://duo.com/support.
Thanks!


#3

You may be able to use the new ‘aliases’ feature. In the case of AD sync, it would just be a matter of configuring your custom attribute mapping to use whatever attributes (UPN, SamAccountName, a custom field, etc.) are needed.