We have logically separate offices in our Active Directory such as Office1 and Office2. For phasing in Duo we would like to enable enrollments based on Active Directory sync using “Office1 Users” security group and “Office2 Users” security group. These AD groups currently contain various AD user objects including real users, shared calendars, generic user objects, etc but I only want to sync users that have an employeeID AND mail AD attribute.
I’m using this in the Duo Auth Proxy config file to filter only users that have those attributes:
Note: asterix=wildcard… that symbol won’t show in this post
However, when I add “Office1 Users” to the Duo portal settings under Users->Directory Sync->Active Directory-> Choose Groups… ALL users in “Office1 Users” get synced including those without mail or emplyeeID.
Am I setting the filter wrong on the auth proxy config? is the wildcard grabbing accounts that have empty values as well?