This is just a heads up to anyone out there trying to do a directory sync with Google Workspace Secure LDAP…
Related post: Google LDAP tips?
We couldn’t get Duo talking directly to Google so we used an stunnel proxy to connect. However, now that we’re connected we can’t seem to pull users from groups.
Re-reading the Duo docs (Knowledge Base | Duo Security) reminded us of this:
Synced groups must also have the attributes entrydn (used as the distinguished name) and entryuuid (the group unique identifier).
So after some back and forth with Google they confirmed that their LDAP schema doesn’t have entrydn. After that was confirmed we gave up.
Our solution now is to use Duo’s APIs and have a script sync the users from Google.