LDAP Proxy Issue


#1

Hi All,

I have been using DUO (with the LDAP Proxy) with OpenVPN on pfSense for a long time. I have migrated to OpenVPN on OPNSense and I am now having an issue.

The VPN connects and the user authenticates, but I never get the DUO push notification. This is the proxy log from the service starting including the authentication requests:

2018-01-28 21:20:11+0000 [-] Log opened.
2018-01-28 21:20:11+0000 [-] AD Client Module Configuration:
2018-01-28 21:20:11+0000 [-] {‘host’: ‘x.x.x.x’,
‘search_dn’: ‘CORRECT_SEARCH_DN’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘CORRECT_USER’}
2018-01-28 21:20:11+0000 [-] LDAP Automatic Factor Server Module Configuration:
2018-01-28 21:20:11+0000 [-] {‘api_host’: '
’,
‘client’: ‘ad_client’,
‘ikey’: ‘’,
‘skey’: '
’}
2018-01-28 21:20:11+0000 [-] SSL disabled. No server key and certificate configured.
2018-01-28 21:20:11+0000 [-] Duo Security Authentication Proxy 2.4.17 - Init Complete
2018-01-28 21:20:11+0000 [-] DuoAutoLdapServerFactory starting on 389
2018-01-28 21:20:11+0000 [-] Starting factory <duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory instance at 0x021338A0>
2018-01-28 21:20:25+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02137830>
2018-01-28 21:20:25+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:7394] Exempt primary bind
2018-01-28 21:20:25+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021378D0>
2018-01-28 21:20:25+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02137830>
2018-01-28 21:20:25+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021378D0>
2018-01-28 21:20:37+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021373D0>
2018-01-28 21:20:37+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:20376] Exempt primary bind
2018-01-28 21:20:37+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021373D0>
2018-01-28 21:20:37+0000 [-] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021377B0>
2018-01-28 21:20:37+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:8384] Exempt primary bind
2018-01-28 21:20:37+0000 [-] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x021377B0>

I know that the VPN is using the proxy as if I stop it and attempt a look up from the firewall it fails.

If I enter incorrect user credentials the VPN errors. If I enter the correct credentials the user is validated and the VPN connects without DUO.

I have tried putting Exempt_primary_bind=false in the config and it doesn’t work at all.

If anyone could offer any pointers that would be great!

Thanks


#2

Just a quick update. I have just upgraded to 2.7.0 and this is the log now:

2018-01-28T21:38:31+0000 [-] DuoAutoLdapServerFactory starting on 389
2018-01-28T21:38:31+0000 [duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory#info] Starting factory <duoauthproxy.modules.ldap_server_auto.DuoAutoLdapServerFactory instance at 0x024F78F0>
2018-01-28T21:38:31+0000 [-] AD Client Module Configuration:
2018-01-28T21:38:31+0000 [-] {‘host’: ‘x.x.x.x’,
‘search_dn’: ‘OU=Users,OU=Home,DC=skynet,DC=local’,
‘service_account_password’: ‘’,
‘service_account_username’: ‘vpn_service’}
2018-01-28T21:38:31+0000 [-] LDAP Automatic Factor Server Module Configuration:
2018-01-28T21:38:31+0000 [-] {‘api_host’: '
’,
‘client’: ‘ad_client’,
‘ikey’: ‘’,
‘skey’: '
[40]’}
2018-01-28T21:38:31+0000 [-] SSL disabled. No server key and certificate configured.
2018-01-28T21:38:31+0000 [-] Duo Security Authentication Proxy 2.7.0 - Init Complete
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504750>
2018-01-28T21:38:55+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:52171] Primary bind exempted from 2FA
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504750>
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504850>
2018-01-28T21:38:55+0000 [_ADServiceClientProtocol,client] [Request from x.x.x.x:57734] Primary bind exempted from 2FA
2018-01-28T21:38:55+0000 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Stopping factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x02504850>


#3

By default the Authentication Proxy doesn’t require 2FA for the first bind in a connection. This is to support systems that bind as a service account, search for the user account, and then bind as the user.

It looks like your system may connect and bind as the service account, then disconnects, then connects again to bind as the end user.

Please take a look at the exempt_primary_bind and exempt_ou_1 options on this page and try setting exempt_primary_bind=false and exempt_ou_1=the DN of the service account.

If this still doesn’t work, enable debug logging with debug=true to see exactly which accounts are binding, as the account making that initial bind isn’t enumerated if skipped without debug logging.


#4

Perfect! Thank you!

If anyone else is struggling with this, this solution works brilliantly. You do need to update your OPNSense LDAP connection to use the DN rather than the domain\user format or DUO fails to recognise it as the same user. I would say this is because OPNSense LDAP is a bit lax when it comes to DN vs domain\user format and not DUO.