Api call to update ldap user fails

homi · January 30, 2023, 8:37am

hello

i am trying to sync a openldap directory user via admin apis syncuser call with the username parameter

‘https://■■■■■■■■■■■■■■■■■■/admin/v1/users/directorysync/.../syncuser?username=q001aa’

the value for the username attribute in the source directory (opeldap) is set in duo-authproxy config as
username_attribute=uid

the openldap directory holds only 1 user with this uid.

In the duo user directory the user is active and works fine for 2FA

  "response": [
    {
      "alias1": null,
      "alias2": null,
      "alias3": null,
      "alias4": null,
      "aliases": {},
      ...
      "username": "q001aa",
      ...
    }
  ],
  "stat": "OK"
}

i have read Knowledge Base | Duo Security

and all checks seem to pass:

Open your Directory Sync configuration page and confirm which attributes you are including during the sync.

ok

Open the directory that you are syncing to Duo and check the values of these synced attributes for each user that is failing to sync.

ok

Check your Duo users and their configured aliases to verify whether other users contain these attribute values already.

ok.

there is only 1 user ‘q001aa’ in the duo all users csv export.

but a sync call aborts with:

{
  "code": 40401,
  "message": "Resource not found",
  "message_detail": "Error syncing user q001aa: Unable to sync user \"q001aa\" because the username or an alias is the same as the username or alias of another user.",
  "stat": "FAIL"
}

any idea where i took the wrong path?

DuoKristina · February 22, 2023, 3:18pm

Hi, this does suggest that there is a conflict with the user you want to sync, but that conflict could be in Duo or in the dource directory.

Is it possible that the username value exists more than once in your OpenLDAP directory in different OUs under your base DN (same uid but different rdn)? That would cause a conflict.

Does any user in your source directory have q001aa as the value for an alias attribute you are syncing?

Is it possible that this user and another existing user share another attribute value you want to sync?

Is it possible you have multiple syncs configured trying to manage the same user or that you have multiple syncs and aren’t using the right directory key for the one that manages this user in particular?

ETA: more

Have you tried syncing the user from the Admin Panel OpenLDAP directory sync page? Do you receive the same error? Do full syncs work?

jospehmack · March 1, 2023, 7:51am

We are real estate development company, But I read your website’s content on daily basis. I really enjoyed this thread.