Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
0
Helpful
3
Replies

Duo Proxy excpetion to ldap group

Go to solution
Robson_Maniasso
Level 1
Level 1

‎07-02-2021 07:41 AM

I have integrated DUO proxy with FreeIPA, however I’m not able to allow a specific group to bypass the DUO as consequence I need to add user by user as exception, is there any way for that? According documentation I could inform the group as exempt_ou but it doesn’t work

I tried:
exempt_ou_1=(memberOf=cn=test,cn=groups,cn=accounts,dc=example,dc=com)

and also:
exempt_ou_1=cn=test,cn=groups,cn=accounts,dc=example,dc=com

At Freeipa, the groups start with cn not OU.

Does anyone know how to proceed on this case?
Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎07-07-2021 09:25 AM

You cannot specify the DN of a group as the value for exempt_ou_1. It can be the DN of a single user or an entire OU/container. This is stated in the documentation of the exempt_ou option in the Authentication Proxy Reference here. There is no way to specify a group of users to bypass in the Authentication Proxy configuration.

Some alternative methods of accomplishing this is if you create the group and users in Duo and set it to Bypass, or you could set the New User Policy to allow unenrolled users access without 2FA and then only enroll the users that you want to use 2FA in Duo.

Duo, not DUO.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎07-07-2021 09:25 AM

You cannot specify the DN of a group as the value for exempt_ou_1. It can be the DN of a single user or an entire OU/container. This is stated in the documentation of the exempt_ou option in the Authentication Proxy Reference here. There is no way to specify a group of users to bypass in the Authentication Proxy configuration.

Some alternative methods of accomplishing this is if you create the group and users in Duo and set it to Bypass, or you could set the New User Policy to allow unenrolled users access without 2FA and then only enroll the users that you want to use 2FA in Duo.

Duo, not DUO.
0 Helpful

Go to solution
Robson_Maniasso
Level 1
Level 1

‎07-07-2021 09:47 AM

well, Freeipa doesn’t have OU, so the exception for a group will not work at proxy level, I would need to add one by one using DN…
Thanks for the info, I’ll look forward to create groups and users in duo for bypass.

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to Robson_Maniasso

‎07-07-2021 09:51 AM

~FreeIPA does have containers though, and you should be able to specify the DN of a container as the exempt_ou.~

Actually I did some more reading and this might not be possible.

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents