Customizations & alternatives for OpenLDAP sync for other LDAP implementations

ray.walker · ‎01-29-2020

Our institution does not run OpenLDAP as it’s primary directory, nor is AD a primary user directory. (Currently on UnboundID/Ping)

This provides difficulty for implementing a user/group synch for Duo.

I’m curious as to how some Duo Community members are overcoming this issue, as the FAQ ( Synchronizing Users from OpenLDAP | Duo Security ) states: “LDAP variants other than OpenLDAP may require additional configuration or modules to provide the necessary attributes to Duo.” How is this done?

I was also wondering if it would be beneficial/possible to allow for more/better customization for the configuration of the existing OpenLDAP Synch.

Here’s my current idea:
Some LDAP implementations use a variation of the ‘groupOfNames’ objectclass for their groups. Some use groupOfUniqueNames, etc. but any ‘sane’ mechanism would still use a DN reference for their members.
Customization of the following would provide to be useful:
objectclass: groupOfNames
member attribute: member (dn)
name attribute: cn
entrydn (why not use dn?) & entryuuid (wouldn’t this be redundant if you already have a dn?)
a reverse (user based membership) lookup customization. For example, we employ a cn based ‘memberof’ Not that sane, but still unique, as it’s part of the group DN.

Other than that, I’m all ears on suggestions for user/group synch mechanisms for non OpenLDAP directories.

DuoKristina · ‎01-30-2020

Here’s a thread with some ideas Directory Sync with idM. I’m not sure how customizable Ping Directory is compared to other LDAP implementations.

We do already have feature requests for customizable group attributes in the OpenLDAP sync, as well as feature requests for specific LDAP implementations. Connect with your Duo account executive, customer success manager, or contact Duo Support to be added to these requests or submit a new one for Ping Directory.

Duo, not DUO.