Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3101
Views
0
Helpful
2
Replies

Duo Auth Proxy + AD sync + LDAP filters

BusterDoney
Level 1
Level 1

‎04-22-2019 07:10 AM

We have logically separate offices in our Active Directory such as Office1 and Office2. For phasing in Duo we would like to enable enrollments based on Active Directory sync using “Office1 Users” security group and “Office2 Users” security group. These AD groups currently contain various AD user objects including real users, shared calendars, generic user objects, etc but I only want to sync users that have an employeeID AND mail AD attribute.

I’m using this in the Duo Auth Proxy config file to filter only users that have those attributes:

search_dn=DC=mycompany,DC=com
ldap_filter=(&(ObjectCategory=person)(objectClass=user)(mail=asterix)(employeeID=asterix))

Note: asterix=wildcard… that symbol won’t show in this post

However, when I add “Office1 Users” to the Duo portal settings under Users->Directory Sync->Active Directory-> Choose Groups… ALL users in “Office1 Users” get synced including those without mail or emplyeeID.

Am I setting the filter wrong on the auth proxy config? is the wildcard grabbing accounts that have empty values as well?

Labels:
0 Helpful
2 Replies 2

Toto_Tamberine
Level 1
Level 1

‎04-22-2019 09:39 AM

I am not 100% sure on this but I think you are confusing the sections in the proxy configuration. The AD sync or LDAP sync section is under the Cloud Section and does not provide any LDAP filter methods.

The [cloud] section is a special configuration used only when importing users to Duo via OpenLDAP or Active Directory synchronization. See our AD Sync documentation or OpenLDAP sync documentation to learn more. Only one [cloud] may be present in the configuration file.

I am guessing you are looking at the ad_client section which is used for client integrations when an application leverages Active Directory for authentication.

I would recommend you create new Active Directory groups with correct user objects in the groups for sync.

0 Helpful

BusterDoney
Level 1
Level 1
In response to Toto_Tamberine

‎04-22-2019 11:30 AM

Thanks for pointing that out; I had made the assumption that the Cloud section was using the ad_client section settings. Unfortunately in the portal I can only configure the Base DN and nothing more in regards to the Directory Sync… I was really hoping to use the existing groups and avoid having to create a new user group per office since we have over 120 offices.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents