LDAP bind failed in DAG

Hi experts

I am installing DAG and encounter LDAP bind failure during integrating with AD (win 2012 server.

Here is my setting and errors in log. I changed username format to DUOTEST\ldapuser or shortname only, it doesn’t work

Attributes: distinguishedName,sAMAccountName,userPrincipalName
Search Base:CN=DUO,DC=DUOTEST,DC=local
Search attributes: sAMAccountName
Search username:ldapuser@DUOTEST.local

Feb 01 02:44:34 simplesamlphp DEBUG [f0c22eda30] Binded session success. The user’s IP address and User Agent has not changed since last login.
Feb 01 02:44:34 simplesamlphp DEBUG [f0c22eda30] Session: Valid session found with ‘admin’.
Feb 01 02:44:34 simplesamlphp DEBUG [f0c22eda30] Session: Valid session found with ‘admin’.
Feb 01 02:44:34 simplesamlphp ERROR [f0c22eda30] SimpleSAML_Error_Exception: Error 2 - ldap_bind(): Unable to bind to server: Invalid credentials|Backtrace:|9 C:\inetpub\wwwroot\dag\www_include.php:87 (SimpleSAML_error_handler)|8 [builtin] (ldap_bind)|7 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Auth\LDAP.php:807 (SimpleSAML_Auth_LDAP::ldap_bind_test)|6 C:\inetpub\wwwroot\dag\modules\duosecurity\www\admin\duo_ad.php:99 (include)|5 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Module.php:210 (SimpleSAML_Module::{closure})|4 C:\inetpub\wwwroot\dag\lib\SimpleSAML\Module.php:211 (SimpleSAML_Module::includeModuleFile)|3 C:\inetpub\wwwroot\dag\modules\duosecurity\templates\admin\duo_authsource.tpl.php:62 (require)|2 C:\inetpub\wwwroot\dag\lib\SimpleSAML\XHTML\Template.php:581 (SimpleSAML_XHTML_Template::show)|1 C:\inetpub\wwwroot\dag\modules\duosecurity\www\admin\duo_authsource.php:50 (require)|0 C:\inetpub\wwwroot\dag\www\module.php:140 (N/A)
Feb 01 02:44:34 simplesamlphp DEBUG [f0c22eda30] Error detected at shutdown: E_WARNING: ldap_bind(): Unable to bind to server: Invalid credentials in C:\inetpub\wwwroot\dag\lib\SimpleSAML\Auth\LDAP.php on line 807


The log you provided indicates that the LDAP credentials aren’t correct. Please double-check the name and password you configured in the AD authentication source settings. As per the instructions the bind username should be specified as DUOTEST\ldapuser, not the UPN or sAM only. Also verify that the Base DN is correct; that any user that needs to bind via the DAG (including the search username service account) are located under the DUO container in your directory. Is it possible that DUO is an organizational unit and not a container? If so, the DN would be OU=DUO,DC=DUOTEST,DC=local.