Our institution does not run OpenLDAP as it’s primary directory, nor is AD a primary user directory. (Currently on UnboundID/Ping)
This provides difficulty for implementing a user/group synch for Duo.
I’m curious as to how some Duo Community members are overcoming this issue, as the FAQ ( Synchronizing Users from OpenLDAP | Duo Security ) states: “LDAP variants other than OpenLDAP may require additional configuration or modules to provide the necessary attributes to Duo.” How is this done?
I was also wondering if it would be beneficial/possible to allow for more/better customization for the configuration of the existing OpenLDAP Synch.
Here’s my current idea:
Some LDAP implementations use a variation of the ‘groupOfNames’ objectclass for their groups. Some use groupOfUniqueNames, etc. but any ‘sane’ mechanism would still use a DN reference for their members.
Customization of the following would provide to be useful:
member attribute: member (dn)
name attribute: cn
entrydn (why not use dn?) & entryuuid (wouldn’t this be redundant if you already have a dn?)
a reverse (user based membership) lookup customization. For example, we employ a cn based ‘memberof’ Not that sane, but still unique, as it’s part of the group DN.
Other than that, I’m all ears on suggestions for user/group synch mechanisms for non OpenLDAP directories.