LDAP Proxy Failing to Connect


Hi All,

I’m running into a problem where I can’t seem to make my ldap proxy work. I have several proxies behind an F5 load balancer doing Layer 4 load balancing. They’re all running CentOS with minimum specs (1g of mem, 2 cpu, plenty of drive space).

When I try to ldapsearch against it I just get ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1). I don’t get a push notification. Appending a code also fails.

An odd thing I noticed is I was able to ldapsearch on the server against itself via and that returned something but it never prompted for 2fac.

Things I’ve verified:

  • telnet works between each point
  • firewalls are open between all
  • ad_client works because I have radius proxies working that leverage i
  • certificate is good and signed by our CA

Example Config:






Is there anything I’m missing? Someway I can try to auth against it and verify.


Hey HeyItsGilbert,

When you try your ldapsearch (that fails) does the Duo Authentication proxy log show any errors? Does the proxy even see the incoming request?

I’d also suggest testing plain LDAP connections (unsecured 389) just to verify the proxy is listening and responding at all.

You may find our instructions for enabling authentication proxy debug logging and our guide to interpreting log output useful.

Thanks for trying Duo!


Agreed on trying un-encrypted port 389. Is your F5 doing any SSL termination? Any chance you can try layer 7 just to see? I’m interested in what you find as I’ve toyed with this idea as well.


Here’s what I get when I run: ldapsearch -x -H ldap://duoproxy01.contoso.com:389 -b "dc=contoso,dc=com" -W -D "contoso\gsanchez" '(cn=gsanchez)' SamAccountName

# extended LDIF
# LDAPv3
# base <dc=contoso,dc=com> with scope subtree
# filter: (cn=gsanchez)
# requesting: SamAccountName

# search reference
ref: ldaps://ForestDnsZones.contoso.com/DC=ForestDnsZones,DC=contoso,D

# search reference
ref: ldaps://DomainDnsZones.contoso.com/DC=DomainDnsZones,DC=contoso,D

# search reference
ref: ldaps://contoso.com/CN=Configuration,DC=contoso,DC=com

# search result
search: 2
result: 0 Success

# numResponses: 4
# numReferences: 3

The odd part is that I don’t get prompted for a duo push.


There’s no SSL termination although that would make things easier for us long term. At this point I’m just trying against a specific machine to remove the F5 from the equation. I’m running an older version of the app so I’m gonna go upgrade to see if that fixes the issue.


By default we exempt the first bind from Duo auth to support a service account binding to search for user who initiated the authentication attempt. If you check your authentication proxy’s logs you should se an event to that effect logged when you bound ldapsearch as contoso\gsanchez.

For your ldapsearch test you probably want to set exempt_primary_bind to false. Learn more about that option here.


Hi - did you ever figure out why non local connections were not working? I’m having a very similar issue at the moment.
I can run a test when connecting to the loopback on the proxy and the ip its listening on aswell (locally), but 2 other hosts on the same subnet cannot connect to the service. tcpdump locally to the proxy reveals packets coming in, but no resposes are being sent out from the proxy.

Kind Regards,