Error in duoauthproxy after successful 2FA auth


#1

After a successful authentication and 2FA allow, I’m getting an unintelligible error from the duo auth proxy, pasted below.

I’m authenticating against an Active Directory instance (AWS Simple Directory) using auth_type=plain.

The proxy is running on Ubuntu 14.04.5 LTS, Python 2.7.6.

2018-03-22T16:51:40+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 127.0.0.1:43072] Got preauth result for jared.stehler: u'auth'
2018-03-22T16:51:40+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■:443/rest/v1/auth
2018-03-22T16:51:40+0000 [duoauthproxy.lib.http._■■■■#info] Starting factory <_■■■■: https://■■■■:443/rest/v1/auth>
2018-03-22T16:51:40+0000 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/preauth>
2018-03-22T16:51:47+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 127.0.0.1:43072] Duo authentication returned 'allow': 'Success. Logging you in...'
2018-03-22T16:51:47+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 127.0.0.1:43072] Success. Logging you in...
2018-03-22T16:51:47+0000 [duoauthproxy.lib.http._■■■■#info] Stopping factory <_■■■■: https://■■■■:443/rest/v1/auth>
2018-03-22T16:51:47+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f7d73b443d0>
2018-03-22T16:51:47+0000 [stdout#info] BERDecoderContext has no tag 0x4e: <L■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■ence} fallback=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2018-03-22T16:51:47+0000 [DuoAutoLdapServer,0,127.0.0.1] Unhandled Error
  Traceback (most recent call last):
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 101, in callWithLogger
      return callWithContext({"system": lp}, func, *args, **kw)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 84, in callWithContext
      return context.call({ILogContext: newCtx}, func, *args, **kw)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 118, in callWithContext
      return self.currentContext().callWithContext(ctx, func, *args, **kw)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 81, in callWithContext
      return func(*args,**kw)
  --- <exception caught here> ---
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/internet/posixbase.py", line 597, in _doReadOrWrite
      why = selectable.doRead()
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 209, in doRead
      return self._dataReceived(data)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 215, in _dataReceived
      rval = self.protocol.dataReceived(data)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapserver.py", line 46, in dataReceived
      o, bytes=pureber.berDecodeObject(self.berdecoder, self.buffer)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/ldaptor/protocols/pureber.py", line 374, in berDecodeObject
      berdecoder=inh)
    File "/opt/duoauthproxy/lib/python2.7/site-packages/ldaptor/protocols/pureldap.py", line 61, in fromBER
      value=l[1]
  exceptions.IndexError: list index out of range
  
2018-03-22T16:51:47+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f7d73b0b710>

#2

I was able to figure this out, with help from support.

I am using openVPN, and had a separate Groups declaration in my ldap conf, like:

<Authorization>
BaseDN "OU=People,dc=corp,dc=company,dc=com"
SearchFilter "(&(sAMAccountName=%u))"

RequireGroup true

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "OU=Groups,dc=corp,dc=company,dc=com"
SearchFilter "(cn=vpn-access)"
MemberAttribute "member"
</Group>
</Authorization>

which was causing openVPN to send the unsupported (by duo authproxy) command LDAPCompareRequest.

I fixed this by changing my config to include the group in the user filter:

<Authorization>
BaseDN "OU=Users,dc=corp,dc=company,dc=com"
SearchFilter "(&(sAMAccountName=%u)(memberof=cn=vpn-access,OU=Groups,dc=corp,dc=company,dc=com))"
</Authorization>