LDAP Proxy with FireMon


#1

Hello.

I just implemented a tool called FireMon.

I am able to connect to LDAP by inputting the DUO sever. I matched the keys to the LDAP application within DUO and am fairly sure that the policies of DUO are correct and the users I’m testing are valid, enrolled users. We use the same LDAP Proxy application from DUO and it works with other applications. FireMon is accepting the authentication but DUO is not prompting for 2FA.

FireMon has little information for DUO+LDAP Proxies. Does anyone have any experience with FireMon and setting up 2FA for it or know if it will work?

Thanks.


#2
  1. Enable debug logging on your Duo proxy and then recreate the issue

  2. Examine the order of LDAP binds in the debug output. Does FireMon Bind as a service account, disconnect, and then bind again as the user logging in? If so, please take a look at the exempt_primary_bind and exempt_ou options documented here.

    The default behavior is to exempt the initial bind request in a connection from 2FA (or else someone would need to approve 2FA for every bind+search the service account does as a precursor to user login).

    If the FireMon does a new connect+bind when switching from the service account to the user, then you’d change exempt_primary_bind to false, and specify your LDAP lookup account DN as exempt_ou.


#3

That worked! Had to have exempt_primary_bind to false and set the exempt_OU. Thanks.