Additional config options for LDAP plugin (and / or Duo 2FA)
rperigo opened this issue · 2 comments
On our deployment, the stakeholder is requesting the ability to use Duo 2FA for all users - ideally, we'd like to force this for ALL users of the deployment, instead of the current system where each user must set up their own 2FA (at least, so far as I've seen in the admin panel). We have two options to do this I can see:
-
use the Duo Auth Proxy service to act as a middleman between DSA and our institutional LDAP - this would work, except the DSA LDAP plugin does not have any ability to set an LDAP request timeout, which causes authentication to fail unless the user is able to immediately respond to the Duo push. Having a request/response timeout value we could set for LDAP in DSA would theoretically resolve this.
-
use a sitewide Duo config, wherein we could set an API host, integration key, and secret key for Duo while disabling per-user 2FA setup.
Would either of these be possible features that could be added to the application (or is there info available on how these could be set in its current state?)
Thanks!
We use the Girder LDAP plugin (https://github.com/girder/girder/tree/master/plugins/ldap). I don't know enough about LDAP to know what would be needed to support what you want. Since we are using pyldap under the hood, the options might already be there or might be easy to expose. A quick google search shows that this is certain possible with pyldap (or with perhaps with python-ldap) -- for instance, I see someone's gist with an example here: https://gist.github.com/matthiassb/292f78f9b839b59e6005ba27787e3eb2.
A number of LDAP improvements and settings occurred in Girder since the issue was created. I'm closing this; please reopen on the Girder repo as needed.