Duo Auth Proxy + AD sync + LDAP filters

We have logically separate offices in our Active Directory such as Office1 and Office2. For phasing in Duo we would like to enable enrollments based on Active Directory sync using “Office1 Users” security group and “Office2 Users” security group. These AD groups currently contain various AD user objects including real users, shared calendars, generic user objects, etc but I only want to sync users that have an employeeID AND mail AD attribute.

I’m using this in the Duo Auth Proxy config file to filter only users that have those attributes:

search_dn=DC=mycompany,DC=com
ldap_filter=(&(ObjectCategory=person)(objectClass=user)(mail=asterix)(employeeID=asterix))

Note: asterix=wildcard… that symbol won’t show in this post

However, when I add “Office1 Users” to the Duo portal settings under Users->Directory Sync->Active Directory-> Choose Groups… ALL users in “Office1 Users” get synced including those without mail or emplyeeID.

Am I setting the filter wrong on the auth proxy config? is the wildcard grabbing accounts that have empty values as well?

I am not 100% sure on this but I think you are confusing the sections in the proxy configuration. The AD sync or LDAP sync section is under the Cloud Section and does not provide any LDAP filter methods.

The [cloud] section is a special configuration used only when importing users to Duo via OpenLDAP or Active Directory synchronization. See our AD Sync documentation or OpenLDAP sync documentation to learn more. Only one [cloud] may be present in the configuration file.

I am guessing you are looking at the ad_client section which is used for client integrations when an application leverages Active Directory for authentication.

I would recommend you create new Active Directory groups with correct user objects in the groups for sync.

Thanks for pointing that out; I had made the assumption that the Cloud section was using the ad_client section settings. Unfortunately in the portal I can only configure the Base DN and nothing more in regards to the Directory Sync… I was really hoping to use the existing groups and avoid having to create a new user group per office since we have over 120 offices.