Auth Proxy and AD Group Membership not Working

I’m trying to get the securty_group_dn portion of the auth proxy working, but as soon as I add it, my test user stops working. My AD configuration is very simple but I’ve also tried adding an OU with a group under it and that does not work either. I’m connecting/testing via a sonicwall TZ.

Here is what I use:
Security Group under the Users OU called “VPNUsers”
search_dn=DC=mydomain,DC=local

I’ve tried all of the following:
security_group_dn=CN=VPNUsers,OU=Users,DC=mydomain,DC=local
security_group_dn=CN=VPNUsers,OU=Groups,DC=mydomain,DC=local - per the example, but assumed groups was not needed
security_group_dn=CN=VPNUsers,DC=mydomain,DC=local

I then created a “Security Groups” OU and a group under that called “VPN Users” and tried the below.
security_group_dn=“CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local”

If I remove the security_group_dn line, auth happens perfectly, I get the push etc.

The DN you specify for the value of security_group_dn should be the actual DN of the group whose members you want to permit access, whatever it actually is. If the VPNUsers group was not in a Groups OU, you would not add OU=Groups to the group’s DN.

security_group_dn=CN=VPNUsers,OU=Users,DC=mydomain,DC=local = the VPNUsers group is in the default Users container at the root of the domain.

security_group_dn=CN=VPNUsers,OU=Groups,DC=mydomain,DC=local = the VPNUsers group is in a Groups OU at the root of the domain.

security_group_dn=CN=VPNUsers,DC=mydomain,DC=local = the VPNUsers group is at the root of the domain, not within a named OU or container.

Is your test user a direct member of the VPNUsers or VPN Users group (whichever group DN you specified)? Take a look at the authentication proxy log to see what is happening, enabling debug logging and trying to auth as the test user again for even more information.

This is what debug tells me. Basically says it can’t find it. I’m looking right at it in AD Users and Computers, even copy/pasted to make sure I wasn’t typing it incorrectly etc.

2021-06-24T14:13:43.803579-0400 [_ADAuthClientProtocol (TLSMemoryBIOProtocol),client] C->S LDAPMessage(id=3, value=LDAPSearchRequest(baseObject=‘CN=VPNUsers,OU=Users,DC=mydomain,DC=local’, scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value=‘objectClass’), attributes=(‘objectsid’,)), controls=None)
2021-06-24T14:13:43.819178-0400 [_ADAuthClientProtocol (TLSMemoryBIOProtocol),client] C<-S LDAPMessage(id=3, value=LDAPSearchResultDone(resultCode=32, matchedDN=‘DC=mydomain,DC=local’, errorMessage=“0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:\n\t’DC=mydomain,DC=local’\n\x00”), controls=None)
2021-06-24T14:13:43.819178-0400 [duoauthproxy.lib.log#info] Tried to search security group DN for object sid but it could not be found. Falling back to just checking memberOf. Error: CN=VPNUsers,OU=Users,DC=mydomain,DC=local could not be found

So I did get this working, but not how I really want it to.

Found everywhere when I searched, anytime the OU or CN etc had a space, the config file had the string in quotes. I removed the quotes to the line below, and now it’s working. I remove user from the group, auth fails. I add user to group, auth success.

security_group_dn=CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local

So I did get this working

Good! Yes, no quotes needed in the DN; if your log output had reflected this I could have called that out.

but not how I really want it to…
I remove user from the group, auth fails. I add user to group, auth success.

This is exactly what it is supposed to do.

Yeah, this is what I want it to do. I just wanted to not have to use a separate OU with a security group under it. For some reason, it will not validate group membership if the group is under the Built-In Users OU. I tried everything including copying the DN directly from the ldp program on my domain controller.

it will not validate group membership if the group is under the Built-In Users OU

This isn’t expected and I just verified that it works (I created the group group in the Users container).

2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=6, value=LDAPSearchRequest(baseObject='CN=group,CN=Users,DC=acme,DC=local', scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value='objectClass'), attributes=('objectsid',)), controls=None)
2021-06-24T19:53:42.757778+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=6, value=L■■■■■■■■■■■■■■■■■■■■(objectName='CN=group,CN=Users,DC=acme,DC=local', attributes=[('objectSid', [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00]A\x92\xe7\xda^\x8f\x963cd:w\xb6\x00\x00'])]), controls=None)
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=6, value=LDAPSearchResultDone(resultCode=0), controls=None)

When I did that with CN=VPNUsers,CN=Users it was allowing auth no matter if they were in the VPNUsers group or not. I assume it’s matching on Users.

Hmm, I would suggest you look at your config again because it works as I expect when I try a user not in the group and the group located in the built-in Users container.

I took myself (kristina) out of my group group and am denied as expected (no search result when it tries to match on memberof).

2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=11, value=LDAPSearchRequest(baseObject='CN=group,CN=Users,DC=acme,DC=corp', scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value='objectClass'), attributes=('objectsid',)), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=11, value=L■■■■■■■■■■■■■■■■■■■■(objectName='CN=group,CN=Users,DC=acme,DC=corp', attributes=[('objectSid', [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00]A\x92\xe7\xda^\x8f\x963cd:w\xb6\x00\x00'])]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=11, value=LDAPSearchResultDone(resultCode=0), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=12, value=LDAPSearchRequest(baseObject='dc=acme,dc=corp', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='sAMAccountName'), assertionValue=LDAPAssertionValue(value='kristina'))]), LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='memberof'), assertionValue=LDAPAssertionValue(value='CN=group,CN=Users,DC=acme,DC=corp')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='primarygroupid'), assertionValue=LDAPAssertionValue(value='46711'))]), LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='user')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectCategory'), assertionValue=LDAPAssertionValue(value='person'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='inetOrgPerson')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='organizationalPerson'))])]), attributes=('msds-PrincipalName',)), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://ForestDnsZones.acme.corp/DC=ForestDnsZones,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://DomainDnsZones.acme.corp/DC=DomainDnsZones,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://acme.corp/CN=Configuration,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=LDAPSearchResultDone(resultCode=0), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#error] Could not find user with username: kristina. It's possible this user does not exist or did not match your configured security filters.

Also might be worth pointing out that the group DN in the example log output you shared isn’t valid:

value=LDAPSearchRequest(baseObject=‘CN=VPNUsers,OU=Users,DC=mydomain,DC=local’,

It should have been CN=Users and not OU=Users if this is intended to be the AD built-in Users container.

Correct, I found this out when copying the data from ldp on my domain controller. I’ll give it another shot and report back.

OK, cool. You can also see the distinguishedName attribute value from ADUC on the object’s properties Attribute Editor tab if you go to View > Advanced Features (if you get tired of switching between ADUC and LDP).

So things are working as expected now. I’m not exactly sure what it was that was blocking it, but it’s fixed and I can copy/reproduce this now without much effort. Thanks for the sanity check and assistance.

Glad you got it working!