On Mon, Jan 13, 2020 at 4:55 PM Florian Domain <[email protected]> wrote: > > Hi Nikos, > > Thanks for your reply. > > I did some tests with two users trying to connect at the same time, > and ocserv is not blocking at username/password/LDAP stages, but only > when duo has sent its notification to user's device. So as you said, > it may be a limitation of the duo PAM module.
Interesting. Seeing the log it may be that this module blocks until a response has been received off-the-line. That means that ocserv's architecture of co-routines for PAM cannot really accommodate it for multiple users. The module itself can be changed to ask for a user confirmation on PIN entry similarly to asking for a password but accepting any input (inconvenient but it will allow multiple users to login), or alternatively ocserv's security module could be moved to a multi-threaded architecture (for PAM only or for all requests). regards, Nikos _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
