Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3814
Views
0
Helpful
3
Replies

Duo Auth Proxy - LDAP Issues, Cant find users even with the test tool

Graham_Smart
Level 1
Level 1

‎04-07-2020 03:21 AM

Hi,

Im currently struggling to get the Auth Proxy working at all.

We have it configured to talk to AD and it can bind fine.
I run the test tool and the error that comes up is that the “Auth proxy did not get results searching for users in the DN”

The DN is 100% correct and ive tried multiple other ones i know works on other systems.
The group has users in it like any other group.

A wireshark shows the Ldap query working fine, but no results.

What on earth is going on. Am i missing something critical here?

The configuration is identical of whats described on

Anyone else had issues like this?

Labels:
0 Helpful
3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

‎04-07-2020 12:42 PM

The group has users in it like any other group.

Did you set the base DN to the DN of a group? That would be a problem, because while a group contains users, the actual user objects are not stored under the group object in the LDAP hierarchy. You should set the base DN to a level that is above both the group of Duo users and the actual users that are members of the group.

- domain.local
--- People
------ bob
--- Groups
------ bobgroup

So in that example, if the DN was set to cn=bobgroup,ou=Groups,dc=domain,dc=local it would not be able to locate the user object bob, since it’s located in ou=People,dc=domain,dc=local.

Does that help, or did I read too much into your mention of the group?

Duo, not DUO.
0 Helpful

Graham_Smart
Level 1
Level 1
In response to DuoKristina

‎04-08-2020 03:52 AM

Thanks, I managed to fix it.
Turns out the documentation isnt fully correct.

Looks liek you need to use the search_group= blaa (or something like that) as well as the DN info.

Seems to work now.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Graham_Smart

‎04-08-2020 06:40 AM

Ah, search_dn is a required parameter, as documented in our Duo Authentication Proxy reference documentation for ad_client as well as on the specific application instructions that describe use of ad_client. There is no search_group parameter.

If the search_dn parameter information for ad_client is missing from some page we’d want to get that fixed. Please link to the page that doesn’t have the information.

Also, in which config parameter were you specifying your DN, if not in search_dn?

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents