Hello again AmishBill!
Given your sample OU hierarchy the search DN you’ve constructed is correct.
The “Failed to communicate with any Active Directory server” usually indicates that either the Authentication Proxy literally can’t contact the domain controller specified in the
[ad_client] section of authproxy.cfg, or that the LDAP account username or password configured in that file that’s used to connect to the AD domain controller is incorrect.
Make sure that the Authentication Proxy is able to communicate with the domain controller over port 389 (636 if using LDAPS, or whichever port you specified if you’re using a custom one), that the
service_account_password are correct (as is the DN for the account in
bind_dn if you’re using that parameter), and that the account you’re using has the rights to bind to AD and look up information about users in that domain.
With respect to the
search_dn, make sure it’s not set too low in the hierarchy. You want it at a level above any users (and the OUs or containers that hold them) who will log in with Duo, AND above the service account used in
ad_client, AND above any level that contain groups if you’re doing any filtering or restrictions by group.
By way of example, if you have
search_dn=OU=MyUsers,OU=MyCo,DC=mydomain,DC=local but the
service_account_username user is in an different subtree (like say
OU=ServiceAccounts,OU=MyCo,DC=mydomain,DC=local) the Authentication Proxy may not locate it in an LDAP search.