@joe-gaechter,
Thank you for your question about the PAM agent. I've moved your post to the SecurID community where it will be seen by members of our Support, Professional Services and Engineering teams, as well as by other SecurID users.
What you are asking about is module stacking. If the agent is working for your local users then we are not responsible for getting stacking to work as we do not support the AD portion of your question. PAM and AM are not aware of whether or not RHEL is joined to your AD domain, but you can configure things. For example,
- If RHEL needs the UPN for the AD password then you might need your Authentication Manager external identity source to map to UPN and not to samAccountName.
- If RHEL uses the old format of domain\user ID, you could have the Authentication Manager external identity source mapped to samAccountName and the PAM login could be domain\user ID and you could configure RSAOMIT to drop the prepended domain\ string in front of the user ID.
When PAM logon is domain\user ID, the whole string is sent to AD; that is, domain\user ID with the AD password, but the with the RSAOMIT option so it that it sends just user ID with the passcode to Authentication Manager. See how to ignore username's NTLM or "down-level logon name" domain name prefix sent by a radius client or agent in RSA Authentication Manager 8.x for more information.
Best regards,
Erica
