LDAP with Linux DuoProxy not giving 2fa

HI all

Am hoping for a little advice

I have recently setup our DNS server which uses openLDAP to connect to our Debian DuoProxy server to authenticate against the AD

I have managed to get it to work but there is no 2fa Prompt(we are looking at making the DNS control panel accessible to the WEB and want to 2fa for added protection)

When i add exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=Webnetism,DC=com
exempt_primary_bind=false

it fails right away

if i then delete the above lines or change
exempt_primary_bind=true it log in fine.

my config is as follows

[ad_client]
host=192.168.0.0(my ldap ad server ip)
service_account_username=duo_ldap
service_account_password=***********
search_dn=DC=AD,DC=example,DC=com

[ldap_server_auto]
client=ad_client
ikey=*****************
skey=*****************
api_host=**********************
exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=example,DC=com
exempt_primary_bind=false
failmode=safe
port=389

any advice would be greatly appreciated.

Hello Chayne, welcome to our Duo Community!

I’m sorry to hear you’re having issues with the Duo prompt. Before making any changes, I would recommend that you enable debug logging and check the log output to see if that provides some answers.

One probable explanation is that your server can’t find your users because the proxy is defaulting to look for AD attributes. Specifying the username_attribute on the client to the openLDAP attribute that holds your Duo usernames would resolve this issue.

This community thread deals with a similar issue and will further clarify how to troubleshoot in this situation.

I hope this helps, let me know if you have any further questions.

Hi ldubravec

Many thanks for your assistance.
What i did in the end was to add security_group_dn under the ad_client part
along with the two exempt entries

and i had to enroll my mobiles with the help of the authproxy.log file
but now i am receiving Duo prompts for my ldap sign ins

thank you for your direction