Solved: Duo Proxy as LDAP Server

mumbles2021 · ‎08-05-2021

If using the Duo Proxy as both and ad_client and ldap_server is it possible to pass group membership back to original requesting device as well the notification of authentication?

DuoKristina · ‎08-05-2021

That linked Authentication Proxy reference suggests specifying exempt_primary_bind=false and listing the service/lookup account by DN as exempt_ou_1 when you use allow_unlimited_binds, so you’ll want to set those too. Your LDAP config section should look like this:

[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever
ssl_cert_path=mycert.pem
ssl_key_path=mykey.key
allow_searches_after_bind=true
allow_unlimited_binds=true

I tested this config as an LDAP Auth Server on Pulse Secure, and created a user realm that mapped members of an ldap group to the Users role, and could log in only when I was a member of the group I chose in the user realm role mapping.

Duo, not DUO.

View solution in original post

DuoKristina · ‎08-05-2021

Yes, the requesting device can request group memberships when the Duo Authentication proxy is configured for ldap client/server. Sometimes we see that customers need to set the allow_searches_after_bind and/or allow_unlimited_binds options for ldap_server_auto to accommodate the additional LDAP queries for a user’s group information, depending on how the requesting device asks for that information.

Duo, not DUO.

mumbles2021 · ‎08-05-2021

Thanks for this information. I tried adding both

allow_unlimited_binds=true
and
allow_searches_after_bind=true

in the ldap_server_auto section, but it’s still failing and when I go to the requesting device (Pulse Secure) it appears no group membership is being based back. Is there a way to query from the proxy to confirm it’s getting group membership back from the AD server?

Here’s the sanitized config file if it helps:

[ad_client]
host=1.1.1.1
host_2=1.1.1.2
service_account_username=duo
service_account_password=password
search_dn=DC=mydomain,DC=local
;transport=ldaps
ssl_ca_certs_file=cert.cer

[ldap_server_auto]
ikey=
skey=
api_host=
client=ad_client
failmode=safe
ssl_cert_path=mycert.pem
ssl_key_path=mykey.key
allow_searches_after_bind=true
allow_unlimited_binds=true

DuoKristina · ‎08-05-2021

That linked Authentication Proxy reference suggests specifying exempt_primary_bind=false and listing the service/lookup account by DN as exempt_ou_1 when you use allow_unlimited_binds, so you’ll want to set those too. Your LDAP config section should look like this:

[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever
ssl_cert_path=mycert.pem
ssl_key_path=mykey.key
allow_searches_after_bind=true
allow_unlimited_binds=true

I tested this config as an LDAP Auth Server on Pulse Secure, and created a user realm that mapped members of an ldap group to the Users role, and could log in only when I was a member of the group I chose in the user realm role mapping.

Duo, not DUO.

mumbles2021 · ‎08-05-2021

A million thank you’s!!! That worked like a charm and I’m able to connect now.

Now to troubleshoot why the proxy is failing to do LDAPS to the domain controllers when their certs were signed by the same CA.

DuoKristina · ‎08-06-2021

Thinking about common causes for that…

Make sure that the ssl_ca_certs_file cert you specify contains the full CA chain if you have intermediates. It does not need to contain the actual DC cert.
Make sure however you specified the hosts in ad_client, by IP or FQDN, is in the DC certificate as CN or SAN. If not, set ssl_verify_hostname=false so that the proxy doesn’t try to match the host= value to the cert.

Duo, not DUO.

mumbles2021 · ‎08-06-2021

Thanks, was just about to update that I found the issue. I was using the ip of the DC and not the hostnames. Once I specified the hostname it worked perfectly.