Setting Vault MFA Duo config for username_format

[dbt...@gmail.com]

Hi,

Currently trying to update the Duo config for our auth backend. I'm unsure about how to modify the username before passing it along to Duo. The documentation at https://www.vaultproject.io/docs/auth/mfa.html shows that I should be able to modify the Duo config as:

$ vault write auth/userpass/duo/config username_format="%s...@example.com"

Success! Data written to: auth/userpass/duo/config

$ vault read auth/userpass/duo/config

Key             Value

---             -----

username_format %s...@example.com

However, when trying to log in, it fails to authenticate with Duo. Our Duo users list contains "jo...@example.com", but Vault can't authenticate with John.

vault auth -method=userpass username=john

URL: PUT https://vault.io/v1/auth/userpass/login/john

Code: 400. Errors:

* Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

Creating a Duo user named john solves the problem, but leads me to believe that Vault is passing along the username without the username_format.

Has anybody run into this issue recently, where the username_format doesn't seem to be used? Looking for any guidance or help, much appreciated.

Thanks,

Dan

[dbt...@gmail.com]

Attaching result, for more information.

$ vault auth -method=userpass username=john

Password (will be hidden):

Error making API request.

URL: PUT https://vault.io/v1/auth/userpass/login/john

Code: 400. Errors:

* Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

On Thursday, November 10, 2016 at 6:01:41 PM UTC-5, dbt...@gmail.com wrote:

Hi,

Currently trying to update the Duo config for our auth backend. I'm unsure about how to modify the username before passing it along to Duo. The documentation at https://www.vaultproject.io/docs/auth/mfa.html shows that I should be able to modify the Duo config as:

$ vault write auth/userpass/duo/config username_format="%s@example.com"

Success! Data written to: auth/userpass/duo/config

$ vault read auth/userpass/duo/config

Key             Value

---             -----

username_format %s...@example.com

However, when trying to log in, it fails to authenticate with Duo. Our Duo users list contains "jo...@example.com", but Vault can't authenticate with John.

[dbt...@gmail.com]

One more piece of data, from the Duo administration authentication logs.

It seems to be sending as john, and not jo...@example.com

[Michael Fischer]

This sounds like an issue worth filing at GitHub.

On Fri, Nov 11, 2016 at 12:45 AM, <dbt...@gmail.com> wrote:

One more piece of data, from the Duo administration authentication logs.

It seems to be sending as john, and not jo...@example.com

On Thursday, November 10, 2016 at 6:13:47 PM UTC-5, dbt...@gmail.com wrote:

Attaching result, for more information.

$ vault auth -method=userpass username=john

Password (will be hidden):

Error making API request.

URL: PUT https://vault.io/v1/auth/userpass/login/john

Code: 400. Errors:

* Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

On Thursday, November 10, 2016 at 6:01:41 PM UTC-5, dbt...@gmail.com wrote:

Hi,

Currently trying to update the Duo config for our auth backend. I'm unsure about how to modify the username before passing it along to Duo. The documentation at https://www.vaultproject.io/docs/auth/mfa.html shows that I should be able to modify the Duo config as:

$ vault write auth/userpass/duo/config username_format="%s...@example.com"

Success! Data written to: auth/userpass/duo/config

$ vault read auth/userpass/duo/config

Key             Value

---             -----

username_format %s...@example.com

However, when trying to log in, it fails to authenticate with Duo. Our Duo users list contains "jo...@example.com", but Vault can't authenticate with John.

vault auth -method=userpass username=john

URL: PUT https://vault.io/v1/auth/userpass/login/john

Code: 400. Errors:

* Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

Creating a Duo user named john solves the problem, but leads me to believe that Vault is passing along the username without the username_format.

Has anybody run into this issue recently, where the username_format doesn't seem to be used? Looking for any guidance or help, much appreciated.

Thanks,

Dan

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/943d3cf4-1c6b-4dd3-b4ec-a12004589ebe%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[dbt...@gmail.com]

Sounds good. Opened an issue here: https://github.com/hashicorp/vault/issues/2085

Was hoping maybe that I misconfigured something on my side, but might be an actual issue.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.