If using the Duo Proxy as both and ad_client and ldap_server is it possible to pass group membership back to original requesting device as well the notification of authentication?
Yes, the requesting device can request group memberships when the Duo Authentication proxy is configured for ldap client/server. Sometimes we see that customers need to set the
allow_unlimited_binds options for
ldap_server_auto to accommodate the additional LDAP queries for a user’s group information, depending on how the requesting device asks for that information.
Thanks for this information. I tried adding both
in the ldap_server_auto section, but it’s still failing and when I go to the requesting device (Pulse Secure) it appears no group membership is being based back. Is there a way to query from the proxy to confirm it’s getting group membership back from the AD server?
Here’s the sanitized config file if it helps:
That linked Authentication Proxy reference suggests specifying
exempt_primary_bind=false and listing the service/lookup account by DN as
exempt_ou_1 when you use
allow_unlimited_binds, so you’ll want to set those too. Your LDAP config section should look like this:
[ldap_server_auto] ikey=nnn skey=nnn api_host=nnn client=ad_client exempt_primary_bind=false exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever ssl_cert_path=mycert.pem ssl_key_path=mykey.key allow_searches_after_bind=true allow_unlimited_binds=true
I tested this config as an LDAP Auth Server on Pulse Secure, and created a user realm that mapped members of an ldap group to the Users role, and could log in only when I was a member of the group I chose in the user realm role mapping.
A million thank you’s!!! That worked like a charm and I’m able to connect now.
Now to troubleshoot why the proxy is failing to do LDAPS to the domain controllers when their certs were signed by the same CA.
Thinking about common causes for that…
Make sure that the
ssl_ca_certs_filecert you specify contains the full CA chain if you have intermediates. It does not need to contain the actual DC cert.
Make sure however you specified the hosts in
ad_client, by IP or FQDN, is in the DC certificate as CN or SAN. If not, set
ssl_verify_hostname=falseso that the proxy doesn’t try to match the
host=value to the cert.
Thanks, was just about to update that I found the issue. I was using the ip of the DC and not the hostnames. Once I specified the hostname it worked perfectly.