Authentication with PAM or pwauth and Symantec VIP token

Hi, I am deploying ood 1.8.20 on our HPC site, Centos 7.9 with kernel 3.10.0-1160.25.1.el7, where the authentication is done using sssd proxying our own LDAP id mapping to institute AD with kerberos. We use a 6 digit symantec VIP token (one-time-password) with the password for authentication.

I tried to follow Can OOD auth be handled by PAM? for PAM authentication, but no luck. The plain Apache with pwauth and auth_external works fine (CentOS 7 : Apache httpd : Basic Auth+PAM : Server World), even the pwauth on the command line works, but not for ood. I also followed the PAM mode in the previous thread, always get authentication failure password mismatch in the error_ssl.log.

Any thoughts will be highly appreciated.

@jeff.ohrstrom Would you be available to take a look? Thanks very much.

Hi, sorry I don’t believe I’m familiar enough with VIP tokens. But I’d suggest this: remove OOD from the equation. It seems that it’s an issue to setup apache in this way?

I’d say start as simple as you can, just 1 Location that requires authentication with a hello world html file that you’re trying to navigate to. Turn up debug logs on apache and see if you can get it to work in this very simple case. If you can get that, then you can move on to configuring OOD with these auth settings.

That would be my suggestion: start very, extremely simple and get that working, then add OOD into the mix. Are there other apache deployments at your HPC site that use this authentication mechanism?

Yes. We are using the auth_external with pwauth for quite a few webpages of our own, all worked.
I tested the same syntax, or referred to the solutions in Can OOD auth be handled by PAM?, no luck for OOD. Checked the Apache24 config from the update-ood-portal and don’t see a problem there.

Well I guess then the question would become what’s the difference? You have auth lines that work for your current web pages, what’s the difference between one of those conf files and ood-portal.conf that gets generated by update_ood_portal?