Duo Proxy excpetion to ldap group

I have integrated DUO proxy with FreeIPA, however I’m not able to allow a specific group to bypass the DUO as consequence I need to add user by user as exception, is there any way for that? According documentation I could inform the group as exempt_ou but it doesn’t work

I tried:
exempt_ou_1=(memberOf=cn=test,cn=groups,cn=accounts,dc=example,dc=com)

and also:
exempt_ou_1=cn=test,cn=groups,cn=accounts,dc=example,dc=com

At Freeipa, the groups start with cn not OU.

Does anyone know how to proceed on this case?
Thank you

You cannot specify the DN of a group as the value for exempt_ou_1. It can be the DN of a single user or an entire OU/container. This is stated in the documentation of the exempt_ou option in the Authentication Proxy Reference here. There is no way to specify a group of users to bypass in the Authentication Proxy configuration.

Some alternative methods of accomplishing this is if you create the group and users in Duo and set it to Bypass, or you could set the New User Policy to allow unenrolled users access without 2FA and then only enroll the users that you want to use 2FA in Duo.

well, Freeipa doesn’t have OU, so the exception for a group will not work at proxy level, I would need to add one by one using DN…
Thanks for the info, I’ll look forward to create groups and users in duo for bypass.

~FreeIPA does have containers though, and you should be able to specify the DN of a container as the exempt_ou.~

Actually I did some more reading and this might not be possible.