RT 4.4.1 login form and 2FA

RT Community,
I’m trying to setup 2FA, specifically Duo, with the RT login process.
I’m having a difficult time figuring out where to place the duo perl
code in the login process. I’m using external LDAP authentication.
Once the successful login returns from LDAP, where does RT forward to
the home page. I need to put in the duo perl code before RT sends the
authenticated user to the home page. Any help would be greatly
appreciated. Thank you.

Hi,

I’m not familiar with the DUO 2FA solution, but I think you may be
looking for callbacks in the login page.
The following should help:

https://rt-wiki.bestpractical.com/wiki/CustomizingWithCallbacks

I beleive the ones you are interested in are those below:
/Elements/Login CallbackName => ‘AfterForm’
/Elements/Login CallbackName => ‘BeforeForm’

Hope that helps

Best Regards

MartinOn 2016-10-17 12:45, Kem Hartley wrote:

RT Community,
I’m trying to setup 2FA, specifically Duo, with the RT login process.
I’m having a difficult time figuring out where to place the duo perl
code in the login process. I’m using external LDAP authentication.
Once the successful login returns from LDAP, where does RT forward to
the home page. I need to put in the duo perl code before RT sends the
authenticated user to the home page. Any help would be greatly
appreciated. Thank you.


RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017

RT Community,
I’m trying to setup 2FA, specifically Duo, with the RT login process. I’m
having a difficult time figuring out where to place the duo perl code in the
login process. I’m using external LDAP authentication. Once the successful
login returns from LDAP, where does RT forward to the home page. I need to
put in the duo perl code before RT sends the authenticated user to the home
page. Any help would be greatly appreciated. Thank you.

Are you looking to use LDAP for AUTHN or hack RT to use DUO?

I’m not sure if LDAP can use PAM for AUTHN, but if it can, you can use
a PAM RADIUS module and configure DUO on your RADIUS server.

-m

Hi,

Using the Duo ldap proxy looks like a viable option too.

https://duo.com/docs/ldap

Best Regards

MartinOn 2016-10-17 13:37, Matt Zagrabelny wrote:

On Mon, Oct 17, 2016 at 7:45 AM, Kem Hartley kdh162@cse.psu.edu wrote:

RT Community,
I’m trying to setup 2FA, specifically Duo, with the RT login process.
I’m
having a difficult time figuring out where to place the duo perl code
in the
login process. I’m using external LDAP authentication. Once the
successful
login returns from LDAP, where does RT forward to the home page. I
need to
put in the duo perl code before RT sends the authenticated user to the
home
page. Any help would be greatly appreciated. Thank you.

Are you looking to use LDAP for AUTHN or hack RT to use DUO?

I’m not sure if LDAP can use PAM for AUTHN, but if it can, you can use
a PAM RADIUS module and configure DUO on your RADIUS server.

-m

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017

Hi Martin,
That might be a viable option as well. I might try that or switching to
apache authentication via radius as well. Thanks all for the responses!On 10/17/16 9:58 AM, Martin Wheldon wrote:

Hi,

Using the Duo ldap proxy looks like a viable option too.

https://duo.com/docs/ldap

Best Regards

Martin

On 2016-10-17 13:37, Matt Zagrabelny wrote:

On Mon, Oct 17, 2016 at 7:45 AM, Kem Hartley kdh162@cse.psu.edu wrote:

RT Community,
I’m trying to setup 2FA, specifically Duo, with the RT login
process. I’m
having a difficult time figuring out where to place the duo perl
code in the
login process. I’m using external LDAP authentication. Once the
successful
login returns from LDAP, where does RT forward to the home page. I
need to
put in the duo perl code before RT sends the authenticated user to
the home
page. Any help would be greatly appreciated. Thank you.

Are you looking to use LDAP for AUTHN or hack RT to use DUO?

I’m not sure if LDAP can use PAM for AUTHN, but if it can, you can use
a PAM RADIUS module and configure DUO on your RADIUS server.

-m

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017

RT 4.4 and RTIR training sessions, and a new workshop day!
https://bestpractical.com/training

  • Boston - October 24-26
  • Los Angeles - Q1 2017

Kem Hartley
Network Systems Specialist
School of EECS
The Pennsylvania State University