Solved: Integrate RH IDM ( FREEIPA) with duo auth proxy

Robson_Maniasso · ‎07-27-2020

Hello, does someone had success to integrate FREIPA or Red Hat Identity manager to duo auth proxy?
I´ve been trying for a while but seems the proxy can´t look for the mail at freeipa. Here is my authproxy.cfg

main]
debug=true
log_auth_events=true
log_max_files=250
log_max_size=1048576
test_connectivity_on_startup=true
;
;
[ad_client]
host=b02ipasrv001
;transport=clear
transport=starttls
auth_type=plain
ssl_ca_certs_file=b02ipasrv001.pem
ssl_verify_hostname=true
service_account_username=admin
service_account_password=passw0rd
bind_dn=uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com
search_dn=cn=users,cn=accounts,dc=lab,dc=example,dc=com
username_attribute=mail

;
;
[ldap_server_auto]
client=ad_client
ssl_key_path=b02rhe07node01…key.pem
ssl_cert_path=b02rhe07node01…pem
;port=389
ssl_port=636
#exempt_primary_bind=false
#exempt_ou_1=CN=uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com
minimum_tls_version=tls1.2
cipher_list=HIGH:!3DES:!anon:!AECDH-AES128-SHA:!AECDH-AES256-SHA

; Duo integration key
ikey = ZZZZZZZZZZZZZZ
; Duo secret key
skey = XXXXXXXXXX
; Duo API hostname
api_host = YYYYYYYYY
failmode=safe
factors=push
allow_unlimited_binds=true

connectivity_tool show no errors

Robson_Maniasso · ‎07-31-2020

In fact I have figured out the issue, I have included the following lines at my conf file and it worked:

exempt_primary_bind=false
exempt_ou_1=uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=com

View solution in original post

DuoKristina · ‎07-28-2020

The useful information for troubleshooting will be in the debug log output on your Duo Authentication Proxy server (look for the LDAP search request and response). We don’t encourage posting potentially sensitive log info in the community, so please carefully review the log output if you plan to share it here. Otherwise, I encourage you to contact Duo Support to open a case, where the technical support engineer will review your configs and log output.

Duo, not DUO.

Robson_Maniasso · ‎07-28-2020

I understand that, but what I am looking for is if is necessary to setup anything at IDM server for duo work, like schema… Etc.
Duo is able tô communicate but nota able tô retrieve the informantion need

DuoKristina · ‎07-28-2020

When troubleshooting something like this I look at the LDAP bind, search request, and result in the debug log to tell me why something could or could not be found (as in, did the service account even bind to perform the search, was the search request issued with the attributes I need, if the result included no objects is there some mismatch between the filters used for search and the attributes of the object I expected it to return, etc.).

Duo, not DUO.

Robson_Maniasso · ‎07-28-2020

Well, the logs doesn´t help much, the common item is drop of connections between the RHEL IDM and the authproxy just before a search can be done for the mail attribute of the user.
Using a basic domin like lab.example.com, the admin would be uid=admin,cn=users,cn=accounts,dc=lab,dc=example,dc=com and users will be: something like: uid=robfm,cn=users,cn=accounts,dc=lab,dc=example,dc=com
Would be necessary set something at IDM server? Or basic configuration will work? what is incorrect at my configuration?

DuoKristina · ‎07-30-2020

I don’t have enough information to advise you. A description of the log isn’t as useful as the actual log. If you don’t want to share the log output here (scrubbed of sensitive info) then go ahead and open a case with Duo Support.

Duo, not DUO.

Robson_Maniasso · ‎07-31-2020

In fact I have figured out the issue, I have included the following lines at my conf file and it worked:

exempt_primary_bind=false
exempt_ou_1=uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=com

DuoKristina · ‎07-31-2020

I’m glad you figured it out!

You likely saw a message like “Exempting primary user from 2FA” in the debug output? For systems that bind as the service account, disconnect, and then bind again as the authenticating user, the exempt_primary_bind=false option ensures that each bind requires 2FA, and exempt_ou lets you skip 2FA for the service account doing the user lookup.

Duo, not DUO.

andrewm659 · ‎05-17-2021

Where did you place the SSSD config file? Was this on ANY client server? Did you make modifications to the IPA server itself?
Did you have an AD trust already setup/configured w/ FreeIPA?

Thanks!