We are currently using DUO cloud integrated into our PAM auth for 2 factor authentication. This works great.
It has come down from above that now we want to do LDAP authentication for our linux servers. Basically just SSH. This works fine using sssd/LDAPS pointed directly to our DCs. However now we want to integrate DUO into the mix as well for 2 factor.
I have configured ldap on our current DUO auth proxy box.
[cloud] ikey=removed skey=removed api_host=removed [ad_client] host=10.10.10.5 host_2=10.10.10.6 service_account_username=binduser service_account_password=removed search_dn=DC=removed,DC=com security_group_dn=CN=DUO,OU=SECURITY,DC=removed,DC=com [ldap_server_auto] client=ad_client ikey=removed skey=removed api_host=removed failmode=safe ssl_key_path=duo.key ssl_cert_path=duo.crt
When I do a capture I can now see the DUO auth proxy mitm the LDAPS request and correctly pull back the user from id or getent.
I’m a little confused on the client side portion however. Normally we would enter in our ikey/skey into the /etc/duo/pam_duo.conf or login_duo.conf. Which ever one we happen to be using for that specific box. Am I to put the same ikey/skey that the DUO auth proxy has in its LDAP section on the client pam_duo.conf/login_duo.conf?