Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7958
Views
1
Helpful
8
Replies

LDAP Proxy Issue

michaelsage
Level 1
Level 1

‎01-28-2018 01:25 PM

Hi All,

I have been using DUO (with the LDAP Proxy) with OpenVPN on pfSense for a long time. I have migrated to OpenVPN on OPNSense and I am now having an issue.

The VPN connects and the user authenticates, but I never get the DUO push notification. This is the proxy log from the service starting including the authentication requests:

2018-01-28 21:20:11+0000 Log opened.
2018-01-28 21:20:11+0000 AD Client Module Configuration:
2018-01-28 21:20:11+0000 {‘host’: ‘x.x.x.x’,
‘search_dn’: ‘CORRECT_SEARCH_DN’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘CORRECT_USER’}
2018-01-28 21:20:11+0000 [-] LDAP Automatic Factor Server Module Configuration:
2018-01-28 21:20:11+0000 [-] {‘api_host’: '’,
‘client’: ‘ad_client’,
‘ikey’: ‘’,
‘skey’: '’}
2018-01-28 21:20:11+0000 SSL disabled. No server key and certificate configured.
2018-01-28 21:20:11+0000 Duo Security Authentication Proxy 2.4.17 - Init Complete
2018-01-28 21:20:11+0000 ■■■■■■■■■■■■■■■■■■■■tory starting on 389
2018-01-28 21:20:11+0000 Starting factory <duoauthproxy.modules.ldap_server_auto.■■■■■■■■■■■■■■■■■■■■tory instance at 0x021338A0>
2018-01-28 21:20:25+0000 Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02137830>
2018-01-28 21:20:25+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:7394] Exempt primary bind
2018-01-28 21:20:25+0000 Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021378D0>
2018-01-28 21:20:25+0000 Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02137830>
2018-01-28 21:20:25+0000 Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021378D0>
2018-01-28 21:20:37+0000 Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021373D0>
2018-01-28 21:20:37+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:20376] Exempt primary bind
2018-01-28 21:20:37+0000 Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021373D0>
2018-01-28 21:20:37+0000 Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021377B0>
2018-01-28 21:20:37+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:8384] Exempt primary bind
2018-01-28 21:20:37+0000 Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021377B0>

I know that the VPN is using the proxy as if I stop it and attempt a look up from the firewall it fails.

If I enter incorrect user credentials the VPN errors. If I enter the correct credentials the user is validated and the VPN connects without DUO.

I have tried putting Exempt_primary_bind=false in the config and it doesn’t work at all.

If anyone could offer any pointers that would be great!

Thanks

Labels:
0 Helpful
8 Replies 8

michaelsage
Level 1
Level 1

‎01-28-2018 01:40 PM

Just a quick update. I have just upgraded to 2.7.0 and this is the log now:

2018-01-28T21:38:31+0000 [-] DuoAutoLdapServerFactory starting on 389
2018-01-28T21:38:31+0000 [duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory instance at 0x024F78F0>
2018-01-28T21:38:31+0000 [-] AD Client Module Configuration:
2018-01-28T21:38:31+0000 [-] {‘host’: ‘x.x.x.x’,
‘search_dn’: ‘OU=Users,OU=Home,DC=skynet,DC=local’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘vpn_service’}
2018-01-28T21:38:31+0000 [-] LDAP Automatic Factor Server Module Configuration:
2018-01-28T21:38:31+0000 [-] {‘api_host’: '’,
‘client’: ‘ad_client’,
‘ikey’: ‘’,
‘skey’: '[40]’}
2018-01-28T21:38:31+0000 [-] SSL disabled. No server key and certificate configured.
2018-01-28T21:38:31+0000 [-] Duo Security Authentication Proxy 2.7.0 - Init Complete
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504750>
2018-01-28T21:38:55+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:52171] Primary bind exempted from 2FA
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504750>
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504850>
2018-01-28T21:38:55+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:57734] Primary bind exempted from 2FA
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504850>

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to michaelsage

‎01-29-2018 10:59 AM

By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user.

It looks like your system may connect and bind as the service account, then disconnects, then connects again to bind as the end user.

Please take a look at the exempt_primary_bind and exempt_ou_1 options on this page and try setting exempt_primary_bind=false and exempt_ou_1=the DN of the service account.

If this still doesn’t work, enable debug logging with debug=true to see exactly which accounts are binding, as the account making that initial bind isn’t enumerated if skipped without debug logging.

Duo, not DUO.
0 Helpful

michaelsage
Level 1
Level 1
In response to DuoKristina

‎01-29-2018 12:17 PM

Perfect! Thank you!

If anyone else is struggling with this, this solution works brilliantly. You do need to update your OPNSense LDAP connection to use the DN rather than the domain\user format or DUO fails to recognise it as the same user. I would say this is because OPNSense LDAP is a bit lax when it comes to DN vs domain\user format and not DUO.

Jody_Driggers
Level 1
Level 1

‎03-04-2018 06:30 AM

I am having the same issue. I put in the exempt_primary_bind and exempt_ou_1 and still get the same issue. When I try to log into the VPN I never get a DUO push and it looks like it’s never talking to my domain controller.

2018-03-01T22:10:23-0500 [-] ■■■■tory starting on 389
2018-03-01T22:10:23-0500 [duoauthproxy.modules.ldap_server_auto.■■■■tory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.■■■■tory instance at 0x0264F8F0>
2018-03-01T22:10:23-0500 [-] Main Configuration:
2018-03-01T22:10:23-0500 [-] {‘debug’: ‘true’}
2018-03-01T22:10:23-0500 [-] AD Client Module Configuration:
2018-03-01T22:10:23-0500 [-] {‘debug’: ‘True’,
‘host’: ‘My DC’,
‘search_dn’: ‘My DN’,
‘service_account_password’: ‘Password’,
‘service_account_username’: ‘Correct service account’}
2018-03-01T22:10:23-0500 [-] LDAP Automatic Factor Server Module Configuration:
2018-03-01T22:10:23-0500 [-] {‘api_host’: ‘My api’,
‘client’: ‘ad_client’,
‘debug’: ‘True’,
‘exempt_ou_1’: ‘OU were service account is located’,
‘exempt_primary_bind’: ‘false’,
‘failmode’: ‘safe’,
‘ikey’: ‘My ikey’,
‘skey’: ‘My skey’}
2018-03-01T22:10:23-0500 [-] SSL disabled. No server key and certificate configured.
2018-03-01T22:10:23-0500 [-] Duo Security Authentication Proxy 2.5.4 - Init Complete

0 Helpful

Jody_Driggers
Level 1
Level 1

‎03-04-2018 06:33 AM

Here’s the config file.

[main]
debug=true

[ad_client]
host=my DC
service_account_username=service account
service_account_password=sa password
search_dn=DC

[ldap_server_auto]
ikey=ikey
skey=skey
api_host=api
exempt_primary_bind=false
exempt_ou_1=OU where service account is located
client=ad_client
failmode=safe

0 Helpful

michaelsage
Level 1
Level 1

‎03-04-2018 08:48 AM

Are you using OPNSense, as it was the config there that was an issue for me.

LDAP connection to use the DN rather than the domain\user format or DUO fails to recognise it as the same user.

This being the issue for me!

0 Helpful

Jody_Driggers
Level 1
Level 1

‎03-04-2018 06:35 PM

No I’m using this with a Fortinet firewall.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to Jody_Driggers

‎03-05-2018 12:31 PM

Hi Jody_Driggers,

From your log output it doesn’t appear that any incoming LDAP connection at all made it to your Duo proxy server. Were there any actual login events recorded? You should see an incoming request from the Fortigate, followed by primary cred verification to your domain controller.

Your authproxy.cfg syntax looks basically correct, but it’s hard to say for sure without seeing the actual option settings (DON’T paste them here). I notice your comment “OU where service account is located” for exempt_ou_1. If you did set that to the DN of an OU instead of the DN of a specific user, then any account in that OU bypasses 2FA. Are you perhaps testing with an account in the same OU as your service account? Can you try again, but specify the service account’s full DN instead?

Feel free to contact Duo Support for assistance troubleshooting this issue. They can go over your setup with you.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents