Duo OpenLDAP auth proxy fails to authenticate

reynico · ‎06-10-2019

Hi all

I have a working OpenLDAP server with an username nrey. I also have two servers that authenticate against OpenLDAP: one is just a Linux machine whose does ssh auth with OpenLDAP, other is an OpenVPN server. Both works perfect using user/pass authentication.

I’ve configured Duo auth proxy for LDAP

[ad_client]
host=127.0.0.1
service_account_username=cn=admin,dc=company,dc=io
bind_dn=ou=people,dc=company,dc=io
auth_type=plain
service_account_password=123
search_dn=ou=people,dc=company,dc=io
username_attribute=uniqueMember
ssl_verify_hostname=false

[ldap_server_auto]
ikey=xxx
skey=xxx
api_host=xxx
client=ad_client
interface=10.0.11.250

Openldap listens on localhost:389
Auth-proxy listens on 10.0.11.250

This is theslapd log output when trying to login on the Linux ssh client:

Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 fd=14 ACCEPT from IP=127.0.0.1:44536 (IP=127.0.0.1:389)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=0 BIND dn="cn=admin,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=0 BIND dn="cn=admin,dc=company,dc=io" mech=SIMPLE ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=0 RESULT tag=97 err=0 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=1 SRCH base="dc=company,dc=io" scope=2 deref=0 filter="(uid=nrey)"
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 BIND anonymous mech=implicit ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 BIND dn="uid=nrey,ou=people,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 BIND dn="uid=nrey,ou=people,dc=company,dc=io" mech=SIMPLE ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 RESULT tag=97 err=0 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 fd=15 ACCEPT from IP=127.0.0.1:44538 (IP=127.0.0.1:389)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 op=0 BIND dn="ou=people,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 op=0 RESULT tag=97 err=49 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 fd=15 closed (connection lost)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 fd=14 closed (connection lost)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 fd=14 ACCEPT from IP=127.0.0.1:44540 (IP=127.0.0.1:389)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 op=0 BIND dn="cn=admin,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 op=0 BIND dn="cn=admin,dc=company,dc=io" mech=SIMPLE ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 op=0 RESULT tag=97 err=0 text=
Jun 10 18:43:54 ip-10-0-11-250 slapd[15533]: conn=1184 fd=14 closed (connection lost)

Password is OK and tested, user exists:

ldapsearch -x -LLL -b "uid=nrey,ou=people,dc=company,dc=io" "(uid=nrey)"
dn: uid=nrey,ou=people,dc=company,dc=io
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
cn: Nicolas
sn: Rey
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/nrey
uid: nrey

What am I missing?

DuoKristina · ‎06-11-2019

What’s happening on the Duo authentication proxy server during the auth attempt? Try enabling debug logging and observe the LDAP binds, searches, and results.

Also, you’ve set username_attribute=uniqueMember in your authproxy.cfg… did you mean to set username_attribute=uid? Isn’t uniqueMember a group attribute?

Duo, not DUO.

reynico · ‎06-12-2019

Thanks Kristina. I’ve solved the issue, just a bad bind_dn (-:

DuoKristina · ‎06-12-2019

https://media.giphy.com/media/4xpB3eE00FfBm/giphy.gif(image larger than 4096KB)

Duo, not DUO.