Duo Auth Proxy - LDAP Issues, Cant find users even with the test tool

Hi,

Im currently struggling to get the Auth Proxy working at all.

We have it configured to talk to AD and it can bind fine.
I run the test tool and the error that comes up is that the “Auth proxy did not get results searching for users in the DN”

The DN is 100% correct and ive tried multiple other ones i know works on other systems.
The group has users in it like any other group.

A wireshark shows the Ldap query working fine, but no results.

What on earth is going on. Am i missing something critical here?

The configuration is identical of whats described on

Anyone else had issues like this?

The group has users in it like any other group.

Did you set the base DN to the DN of a group? That would be a problem, because while a group contains users, the actual user objects are not stored under the group object in the LDAP hierarchy. You should set the base DN to a level that is above both the group of Duo users and the actual users that are members of the group.

- domain.local
--- People
------ bob
--- Groups
------ bobgroup

So in that example, if the DN was set to cn=bobgroup,ou=Groups,dc=domain,dc=local it would not be able to locate the user object bob, since it’s located in ou=People,dc=domain,dc=local.

Does that help, or did I read too much into your mention of the group?

Thanks, I managed to fix it.
Turns out the documentation isnt fully correct.

Looks liek you need to use the search_group= blaa (or something like that) as well as the DN info.

Seems to work now.

Ah, search_dn is a required parameter, as documented in our Duo Authentication Proxy reference documentation for ad_client as well as on the specific application instructions that describe use of ad_client. There is no search_group parameter.

If the search_dn parameter information for ad_client is missing from some page we’d want to get that fixed. Please link to the page that doesn’t have the information.

Also, in which config parameter were you specifying your DN, if not in search_dn?