[OOD-users] Open OnDemand with LDAP/Duo auth

Lilley, John F. johnbot at caltech.edu
Wed Jan 2 17:39:19 EST 2019 

Thanks for the feedback. We ended up getting Open OnDemand working using Shib/Duo so all is good!

John


From: "Dockendorf, Trey" <tdockendorf at osc.edu>
Date: Wednesday, December 19, 2018 at 10:30 AM
To: "Lilley, John F." <johnbot at caltech.edu>, User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Subject: Re: [OOD-users] Open OnDemand with LDAP/Duo auth

I wanted to report back that I’ve verified it’s possible to use Keycloak and Duo by having Keycloak perform authentication through SSSD running on the Keycloak server.  I followed the Keycloak docs for using SSSD [1] except for a modified /etc/pam.d/keycloak [2].  I verified that setting something like 'groups=*,!root’ in /etc/duo/pam_duo.conf and the PAM config was enough to require Duo.  If you wanted to make Duo optional you could do so via group memberships and I verified this works by changing groups config for pam_duo.  You could also do clever things with the PAM stack to use pam_duo based on other conditions.  Because Keycloak doesn’t actually know there is a possible challenge response using SSSD you have to setup Duo to have autopush=yes and prompts=1 so that the 2FA automatically sends a push notification to the person’s phone.

If more details are needed let me know and I can provide my exact steps taken to get Duo and Keycloak working together.

- Trey

[1]:
https://www.keycloak.org/docs/latest/server_admin/index.html#sssd-and-d-bus

[2]:
auth    required   pam_sss.so
auth    required   pam_duo.so
account required   pam_sss.so

--
Trey Dockendorf
HPC Systems Engineer
Ohio Supercomputer Center

From: OOD-users <ood-users-bounces+tdockendorf=osc.edu at lists.osc.edu> on behalf of "Lilley, John F. via OOD-users" <ood-users at lists.osc.edu>
Reply-To: "Lilley, John F." <johnbot at caltech.edu>, User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Date: Tuesday, December 11, 2018 at 5:13 PM
To: "ood-users at lists.osc.edu" <ood-users at lists.osc.edu>
Subject: [OOD-users] Open OnDemand with LDAP/Duo auth

Hello All,

Performing a test installation of Open OnDemand on our central hpc to compare performance and functionality against StarNet FastX. We use ldap along with duo as the second factor. Does OpenOndemand support this type of installation and if so, are there documents/notes/wikis describing this configuration floating around?

Thank You,
John

--

John Lilley
C A L I F O R N I A  I N S T I T U T E  O F  T E C H N O L O G Y
Lead Systems Administrator – Cloud and High Performance Computing | IMSS
johnbot at caltech.edu<mailto:nelsonhs at caltech.edu> | 323.208.1688




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20190102/3889fad2/attachment-0001.html>

More information about the OOD-users mailing list