Auth Proxy is unable to search OU's

Hey all, I’ve been stuck on this for a while. In my config file, if I comment out security_group_dn or ldap_filter, everything comes back as normal on the configuration tool, but it still doesn’t work for my vmware view instances. When I add in either “security_group_dn” or “ldap_filter”, it returns the following message:

[warn]  The LDAP Client section has connectivity problems.
[warn]  The LDAP host clear connection to redacted.domain.com:389 has connectivity problems.
[info]  The Auth Proxy was able to establish a connection to redacted.domain.com:389.
[info]  The Auth Proxy was able to establish an LDAP connection to DC.domain.com:389.
[info]  The Auth Proxy was able to bind as <service_account>.
[error] The Auth Proxy did not get results searching for users in DN DC=AD,DC=domain,DC=com using the filter (&(|(&(objectClass=user)(objectCategory=person))(objectClass=inetOrgPerson)(objectClass=organizationalPerson))(memberOf=OU=Users,OU=User Base,OU=company,DC=AD,DC=domain,DC=com)).  It is likely that Duo would not be able to find specific users during authentication.  Please confirm that DC=AD,DC=domain,DC=com is the correct, fully qualified DN and that users should pass the filter.

I have tried modifying the OU’s and trying different OU’s but it all results in the same error. Any chance somebody has run across this? Any assistance or tips would be greatly appreciated!

To add to this in case it’s needed, this is my authproxy.cfg file:

[ad_client]
host=Primary_DC
;host_2=secondary_DC
service_account_username=service_account
service_account_password=service_account_pass
search_dn=DC=AD,DC=Domain,DC=com
;security_group_dn=OU=Users,OU=User Base,OU=Company,DC=AD,DC=Domain,DC=com
port=389

[radius_server_challenge]
ikey=ikey
skey=skey
api_host=■■■■■■■■■■■■■■■■■■■■■■■■
radius_ip_1=IP_of_view_server
radius_ip_2=IP_of_view_server_2
radius_secret_1=secret
radius_secret_2=secret
failmode=safe
client=ad_client
port:1812

Hi,

Maybe you did this check but I just want to be sure if you are exactly addressing a security group in your AD and the users are not a member of a nested group. When I first made this mistake, the configuration tool didn’t give me a warning too.

Hey there!

Thanks for the tip, unfortunately it didn’t work. I just tried pointing it to a security group that every user in the company is in, and the configuration tool gave no errors, but the horizon logon screen still hangs (it should prompt for Duo). and it usually hangs for ~1-3 minutes before saying access denied.

At first, I had it pointed to an OU for users, then seeing your security group concern, I changed it to the security group and am getting the same results.

So, OU=Users,OU=User Base,OU=Company,DC=AD,DC=Domain,DC=com is not the DN of a group, it is the DN of an OU. As suggested by the parameter’s name security_group_dn, that should be the DN of a security group (for example, if you had a group named “Duo Users” in the “Users” OU, the DN of that security group would be CN=Duo Users,OU=Users,OU=User Base,OU=Company,DC=AD,DC=Domain,DC=com.

From the Authentication Proxy ad_client option documentation:

security_group_dn: To further restrict access, specify the LDAP distinguished name (DN) of a security group …

It failed with ldap_filter set to the same thing because again, that is not the DN of a security group and no objects are “members” of an OU as defined by the LDAP spec.

Do you actually want to restrict Duo auth to only the members of a group? Any users not members of the group get rejected at login. If that is not what you want I suggest you don’t set that at all.

If you still have login issues without security_group_dn set or when it is correctly set to the DN of a security group and not an OU, I suggest you enable debug logging and take a look at authproxy.log to see what’s happening.

ETA another idea… You use the example base DN DC=AD, DC=Domain,DC=com, implying that the domain you’re pointing to is ad.domain.com, a child domain in the domain.com forest. Are all your users in ad.domain.com, or might some actually be in domain.com or someotherdomainintheforest.domain.com? The Duo proxy can’t follow LDAP referrals to other domains in the forest. If you need to auth users across multiple domains in a forest then use the global catalog port instead.

1 Like