I have been battling nextcloud for the past two weeks and am feeling beyond hopeless at this point. My bosses have given me a series of requirements: Get Nextcloud installed into our network, and integrate Duo onto it. We have individuals we occasionally contract out into SCIFs so Duo needs to play with the hardware tokens as an option for those that can’t push to their phone for 2FA.
As some of you know, nextcloud and duo don’t exactly play well. I’ve seen Chris’ experiment and tried installing it but it doesn’t do anything upon installing the patch. The Login page never prompts for the duo. I assume this is because it’s over a year old and just outdated.
So I tested the Totp thing and Duo alows me to scan the barcode and use as a third party app, but does not work for the people that need to prompt hardware tokens.
Finally I tried the LDAP proxy solution. I already had LDAP sync workings with nextcloud so figured it’d be the best solution. And it is so close to being the best solution. It auto-pushes with the option to add the hardware token to the password with whichever delimiter I choose (and i tested it and it worked!). I thought it was perfect and I was done. Until I started messing with my profile and realized that I started getting Duo prompts about every 5 minutes. Which means that Nextcloud LDAP sync is reauthenticating and prompting the Duo authentication. Which also means the SCIF individuals would be kicked off nextcloud for failure to authenticate after 5 minutes of being logged in since they won’t see the push.
Some people may suggest using another platform in either department. My company is insisting on needing Nextcloud. It is a solution for large data transfers (to large for email) between our contracting companies that doesn’t require them needing accounts into our network. Duo is something we are to far invested into at this point to just start buying some other companies hardware tokens or to just swap 2FA providers. My company choose to go with them to meet 2FA for NIST reasons prior to me being employed and has it integrated in nearly everything at this point as well as purchasing their hardware tokens…
So here I am, out of options. I can go many paths with this but need help whichever path. I have hit my breaking point and maximum capabilities for me.
Option 1: I need help installing Chris’ experimental solution. Has someone else got his working recently? Am I doing something wrong? Or is it just outdated and doesn’t work on the newer nextclouds?
Option 2: I keep my current LDAPS solution but somehow fix the nextcloud/ldap to not prompt duo every 5 minutes. Whether its stopping nextcloud from reauthenticating so often, or some kind of cookie state/credential saving so it doesn’t prompt my LDAP server (above my experience/knowledge)
Option 3: something new entirely. One other path I looked into was to edit Nextcloud configuration to play with Duo. Duo has some documentation on snippits to put into web pages, but I can’t figure out Nextclouds code to figure out where to put it.
I could go down any path as long as I get something that works in the end.