Auth Proxy is unable to search OU's

Hey all, I’ve been stuck on this for a while. In my config file, if I comment out security_group_dn or ldap_filter, everything comes back as normal on the configuration tool, but it still doesn’t work for my vmware view instances. When I add in either “security_group_dn” or “ldap_filter”, it returns the following message:

[warn]  The LDAP Client section has connectivity problems.
[warn]  The LDAP host clear connection to has connectivity problems.
[info]  The Auth Proxy was able to establish a connection to
[info]  The Auth Proxy was able to establish an LDAP connection to
[info]  The Auth Proxy was able to bind as <service_account>.
[error] The Auth Proxy did not get results searching for users in DN DC=AD,DC=domain,DC=com using the filter (&(|(&(objectClass=user)(objectCategory=person))(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(memberOf=OU=Users,OU=User Base,OU=company,DC=AD,DC=domain,DC=com)).  It is likely that Duo would not be able to find specific users during authentication.  Please confirm that DC=AD,DC=domain,DC=com is the correct, fully qualified DN and that users should pass the filter.

I have tried modifying the OU’s and trying different OU’s but it all results in the same error. Any chance somebody has run across this? Any assistance or tips would be greatly appreciated!

To add to this in case it’s needed, this is my authproxy.cfg file:

;security_group_dn=OU=Users,OU=User Base,OU=Company,DC=AD,DC=Domain,DC=com



Maybe you did this check but I just want to be sure if you are exactly addressing a security group in your AD and the users are not a member of a nested group. When I first made this mistake, the configuration tool didn’t give me a warning too.

Hey there!

Thanks for the tip, unfortunately it didn’t work. I just tried pointing it to a security group that every user in the company is in, and the configuration tool gave no errors, but the horizon logon screen still hangs (it should prompt for Duo). and it usually hangs for ~1-3 minutes before saying access denied.

At first, I had it pointed to an OU for users, then seeing your security group concern, I changed it to the security group and am getting the same results.

So, OU=Users,OU=User Base,OU=Company,DC=AD,DC=Domain,DC=com is not the DN of a group, it is the DN of an OU. As suggested by the parameter’s name security_group_dn, that should be the DN of a security group (for example, if you had a group named “Duo Users” in the “Users” OU, the DN of that security group would be CN=Duo Users,OU=Users,OU=User Base,OU=Company,DC=AD,DC=Domain,DC=com.

From the Authentication Proxy ad_client option documentation:

security_group_dn: To further restrict access, specify the LDAP distinguished name (DN) of a security group …

It failed with ldap_filter set to the same thing because again, that is not the DN of a security group and no objects are “members” of an OU as defined by the LDAP spec.

Do you actually want to restrict Duo auth to only the members of a group? Any users not members of the group get rejected at login. If that is not what you want I suggest you don’t set that at all.

If you still have login issues without security_group_dn set or when it is correctly set to the DN of a security group and not an OU, I suggest you enable debug logging and take a look at authproxy.log to see what’s happening.

ETA another idea… You use the example base DN DC=AD, DC=Domain,DC=com, implying that the domain you’re pointing to is, a child domain in the forest. Are all your users in, or might some actually be in or The Duo proxy can’t follow LDAP referrals to other domains in the forest. If you need to auth users across multiple domains in a forest then use the global catalog port instead.

1 Like