2FA setup

[Luc3as]

Hello, I would need little help. I am trying to get this working for few days now, I accomplished auth to LDAP ( MS AD ) or to yubikey file mapping. However what I would like is authentication to LDAP and then second step by yubikey in local file mappings. Is this scenario possible somehow or what am I doing wrong ? I have /opt/openvpn/openvpn_external defined like this, but I cannot get successfull auth. I imagine it like using yubico pam to sshd auth, first username and then separate input for OTP. Am I right ? thank you

auth    required pam_yubico.so debug id=xxx authfile=/etc/openvpn/yubikey_mappings
auth    [default=bad success=1] pam_ldap.so use_first_pass

# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

# Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
account sufficient pam_permit.so

[Soren90]

Hi Lucas,

When you are trying to authenticate, you will be asked for your ldap-username and password (ldap password followed by OTP in the same password field)

The local file mappings is only used to map a user it's yubikey on the server. I've personally only done this with a attribute in the LDAP server tho.