LDAP Proxy Issue


#1

Hi All,

I have been using DUO (with the LDAP Proxy) with OpenVPN on pfSense for a long time. I have migrated to OpenVPN on OPNSense and I am now having an issue.

The VPN connects and the user authenticates, but I never get the DUO push notification. This is the proxy log from the service starting including the authentication requests:

2018-01-28 21:20:11+0000 [-] Log opened.
2018-01-28 21:20:11+0000 [-] AD Client Module Configuration:
2018-01-28 21:20:11+0000 [-] {‘host’: ‘x.x.x.x’,
‘search_dn’: ‘CORRECT_SEARCH_DN’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘CORRECT_USER’}
2018-01-28 21:20:11+0000 [-] LDAP Automatic Factor Server Module Configuration:
2018-01-28 21:20:11+0000 [-] {‘api_host’: '
’,
‘client’: ‘ad_client’,
‘ikey’: ‘’,
‘skey’: '
’}
2018-01-28 21:20:11+0000 [-] SSL disabled. No server key and certificate configured.
2018-01-28 21:20:11+0000 [-] Duo Security Authentication Proxy 2.4.17 - Init Complete
2018-01-28 21:20:11+0000 [-] DuoAutoLdapServerFactory starting on 389
2018-01-28 21:20:11+0000 [-] Starting factory <duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory instance at 0x021338A0>
2018-01-28 21:20:25+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02137830>
2018-01-28 21:20:25+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:7394] Exempt primary bind
2018-01-28 21:20:25+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021378D0>
2018-01-28 21:20:25+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02137830>
2018-01-28 21:20:25+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021378D0>
2018-01-28 21:20:37+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021373D0>
2018-01-28 21:20:37+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:20376] Exempt primary bind
2018-01-28 21:20:37+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021373D0>
2018-01-28 21:20:37+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021377B0>
2018-01-28 21:20:37+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:8384] Exempt primary bind
2018-01-28 21:20:37+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021377B0>

I know that the VPN is using the proxy as if I stop it and attempt a look up from the firewall it fails.

If I enter incorrect user credentials the VPN errors. If I enter the correct credentials the user is validated and the VPN connects without DUO.

I have tried putting Exempt_primary_bind=false in the config and it doesn’t work at all.

If anyone could offer any pointers that would be great!

Thanks


#2

Just a quick update. I have just upgraded to 2.7.0 and this is the log now:

2018-01-28T21:38:31+0000 [-] DuoAutoLdapServerFactory starting on 389
2018-01-28T21:38:31+0000 [duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory instance at 0x024F78F0>
2018-01-28T21:38:31+0000 [-] AD Client Module Configuration:
2018-01-28T21:38:31+0000 [-] {‘host’: ‘x.x.x.x’,
‘search_dn’: ‘OU=Users,OU=Home,DC=skynet,DC=local’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘vpn_service’}
2018-01-28T21:38:31+0000 [-] LDAP Automatic Factor Server Module Configuration:
2018-01-28T21:38:31+0000 [-] {‘api_host’: '
’,
‘client’: ‘ad_client’,
‘ikey’: ‘’,
‘skey’: '
[40]’}
2018-01-28T21:38:31+0000 [-] SSL disabled. No server key and certificate configured.
2018-01-28T21:38:31+0000 [-] Duo Security Authentication Proxy 2.7.0 - Init Complete
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504750>
2018-01-28T21:38:55+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:52171] Primary bind exempted from 2FA
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504750>
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504850>
2018-01-28T21:38:55+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:57734] Primary bind exempted from 2FA
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504850>


#3

By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user.

It looks like your system may connect and bind as the service account, then disconnects, then connects again to bind as the end user.

Please take a look at the exempt_primary_bind and exempt_ou_1 options on this page and try setting exempt_primary_bind=false and exempt_ou_1=the DN of the service account.

If this still doesn’t work, enable debug logging with debug=true to see exactly which accounts are binding, as the account making that initial bind isn’t enumerated if skipped without debug logging.


#4

Perfect! Thank you!

If anyone else is struggling with this, this solution works brilliantly. You do need to update your OPNSense LDAP connection to use the DN rather than the domain\user format or DUO fails to recognise it as the same user. I would say this is because OPNSense LDAP is a bit lax when it comes to DN vs domain\user format and not DUO.


#5

I am having the same issue. I put in the exempt_primary_bind and exempt_ou_1 and still get the same issue. When I try to log into the VPN I never get a DUO push and it looks like it’s never talking to my domain controller.

2018-03-01T22:10:23-0500 [-] ■■■■tory starting on 389
2018-03-01T22:10:23-0500 [duoauthproxy.modules.ldap_server_auto.■■■■tory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.■■■■tory instance at 0x0264F8F0>
2018-03-01T22:10:23-0500 [-] Main Configuration:
2018-03-01T22:10:23-0500 [-] {‘debug’: ‘true’}
2018-03-01T22:10:23-0500 [-] AD Client Module Configuration:
2018-03-01T22:10:23-0500 [-] {‘debug’: ‘True’,
‘host’: ‘My DC’,
‘search_dn’: ‘My DN’,
‘service_account_password’: ‘Password’,
‘service_account_username’: ‘Correct service account’}
2018-03-01T22:10:23-0500 [-] LDAP Automatic Factor Server Module Configuration:
2018-03-01T22:10:23-0500 [-] {‘api_host’: ‘My api’,
‘client’: ‘ad_client’,
‘debug’: ‘True’,
‘exempt_ou_1’: ‘OU were service account is located’,
‘exempt_primary_bind’: ‘false’,
‘failmode’: ‘safe’,
‘ikey’: ‘My ikey’,
‘skey’: ‘My skey’}
2018-03-01T22:10:23-0500 [-] SSL disabled. No server key and certificate configured.
2018-03-01T22:10:23-0500 [-] Duo Security Authentication Proxy 2.5.4 - Init Complete


#6

Here’s the config file.

[main]
debug=true

[ad_client]
host=my DC
service_account_username=service account
service_account_password=sa password
search_dn=DC

[ldap_server_auto]
ikey=ikey
skey=skey
api_host=api
exempt_primary_bind=false
exempt_ou_1=OU where service account is located
client=ad_client
failmode=safe


#7

Are you using OPNSense, as it was the config there that was an issue for me.

LDAP connection to use the DN rather than the domain\user format or DUO fails to recognise it as the same user.

This being the issue for me!


#8

No I’m using this with a Fortinet firewall.


#9

Hi Jody_Driggers,

From your log output it doesn’t appear that any incoming LDAP connection at all made it to your Duo proxy server. Were there any actual login events recorded? You should see an incoming request from the Fortigate, followed by primary cred verification to your domain controller.

Your authproxy.cfg syntax looks basically correct, but it’s hard to say for sure without seeing the actual option settings (DON’T paste them here). I notice your comment “OU where service account is located” for exempt_ou_1. If you did set that to the DN of an OU instead of the DN of a specific user, then any account in that OU bypasses 2FA. Are you perhaps testing with an account in the same OU as your service account? Can you try again, but specify the service account’s full DN instead?

Feel free to contact Duo Support for assistance troubleshooting this issue. They can go over your setup with you.