03-22-2018 11:28 AM
After a successful authentication and 2FA allow, I’m getting an unintelligible error from the duo auth proxy, pasted below.
I’m authenticating against an Active Directory instance (AWS Simple Directory) using auth_type=plain.
The proxy is running on Ubuntu 14.04.5 LTS, Python 2.7.6.
2018-03-22T16:51:40+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 127.0.0.1:43072] Got preauth result for jared.stehler: u'auth'
2018-03-22T16:51:40+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] http POST to https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth
2018-03-22T16:51:40+0000 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Starting factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth>
2018-03-22T16:51:40+0000 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/preauth>
2018-03-22T16:51:47+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 127.0.0.1:43072] Duo authentication returned 'allow': 'Success. Logging you in...'
2018-03-22T16:51:47+0000 [HTTPPageGetter (TLSMemoryBIOProtocol),client] [Request from 127.0.0.1:43072] Success. Logging you in...
2018-03-22T16:51:47+0000 [duoauthproxy.lib.http._■■■■■■■■■■■■■■■■■■■■#info] Stopping factory <_■■■■■■■■■■■■■■■■■■■■: https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■:443/rest/v1/auth>
2018-03-22T16:51:47+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f7d73b443d0>
2018-03-22T16:51:47+0000 [stdout#info] BERDecoderContext has no tag 0x4e: <L■■■■■■■■■■■■■■■■■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■■■■■■■■■■■■■■■■■ence} fallback=<L■■■■■■■■■■■■■■■■■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■■■■■■■■■■■■■■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■■■■■■■■■■■■■■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■■■■■■■■■■■■■■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>
2018-03-22T16:51:47+0000 [DuoAutoLdapServer,0,127.0.0.1] Unhandled Error
Traceback (most recent call last):
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 101, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/log.py", line 84, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 118, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/python/context.py", line 81, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/internet/posixbase.py", line 597, in _doReadOrWrite
why = selectable.doRead()
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 209, in doRead
return self._dataReceived(data)
File "/opt/duoauthproxy/lib/python2.7/site-packages/Twisted-15.4.0-py2.7-linux-x86_64.egg/twisted/internet/tcp.py", line 215, in _dataReceived
rval = self.protocol.dataReceived(data)
File "/opt/duoauthproxy/lib/python2.7/site-packages/ldaptor/protocols/ldap/ldapserver.py", line 46, in dataReceived
o, bytes=pureber.berDecodeObject(self.berdecoder, self.buffer)
File "/opt/duoauthproxy/lib/python2.7/site-packages/ldaptor/protocols/pureber.py", line 374, in berDecodeObject
berdecoder=inh)
File "/opt/duoauthproxy/lib/python2.7/site-packages/ldaptor/protocols/pureldap.py", line 61, in fromBER
value=l[1]
exceptions.IndexError: list index out of range
2018-03-22T16:51:47+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f7d73b0b710>
Solved! Go to Solution.
03-23-2018 11:29 AM
I was able to figure this out, with help from support.
I am using openVPN, and had a separate Groups
declaration in my ldap conf, like:
<Authorization>
BaseDN "OU=People,dc=corp,dc=company,dc=com"
SearchFilter "(&(sAMAccountName=%u))"
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "OU=Groups,dc=corp,dc=company,dc=com"
SearchFilter "(cn=vpn-access)"
MemberAttribute "member"
</Group>
</Authorization>
which was causing openVPN to send the unsupported (by duo authproxy) command LDAPCompareRequest
.
I fixed this by changing my config to include the group in the user filter:
<Authorization>
BaseDN "OU=Users,dc=corp,dc=company,dc=com"
SearchFilter "(&(sAMAccountName=%u)(memberof=cn=vpn-access,OU=Groups,dc=corp,dc=company,dc=com))"
</Authorization>
03-23-2018 11:29 AM
I was able to figure this out, with help from support.
I am using openVPN, and had a separate Groups
declaration in my ldap conf, like:
<Authorization>
BaseDN "OU=People,dc=corp,dc=company,dc=com"
SearchFilter "(&(sAMAccountName=%u))"
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "OU=Groups,dc=corp,dc=company,dc=com"
SearchFilter "(cn=vpn-access)"
MemberAttribute "member"
</Group>
</Authorization>
which was causing openVPN to send the unsupported (by duo authproxy) command LDAPCompareRequest
.
I fixed this by changing my config to include the group in the user filter:
<Authorization>
BaseDN "OU=Users,dc=corp,dc=company,dc=com"
SearchFilter "(&(sAMAccountName=%u)(memberof=cn=vpn-access,OU=Groups,dc=corp,dc=company,dc=com))"
</Authorization>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide