Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
905
Views
0
Helpful
2
Replies

LDAP with Linux DuoProxy not giving 2fa

Chayne
Level 1
Level 1

‎07-20-2022 08:37 AM

HI all

Am hoping for a little advice

I have recently setup our DNS server which uses openLDAP to connect to our Debian DuoProxy server to authenticate against the AD

I have managed to get it to work but there is no 2fa Prompt(we are looking at making the DNS control panel accessible to the WEB and want to 2fa for added protection)

When i add exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=Webnetism,DC=com
exempt_primary_bind=false

it fails right away

if i then delete the above lines or change
exempt_primary_bind=true it log in fine.

my config is as follows

[ad_client]
host=192.168.0.0(my ldap ad server ip)
service_account_username=duo_ldap
service_account_password=***********
search_dn=DC=AD,DC=example,DC=com

[ldap_server_auto]
client=ad_client
ikey=*****************
skey=*****************
api_host=**********************
exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=example,DC=com
exempt_primary_bind=false
failmode=safe
port=389

any advice would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

ldubravec
Level 1
Level 1

‎07-20-2022 11:02 AM

Hello Chayne, welcome to our Duo Community!

I’m sorry to hear you’re having issues with the Duo prompt. Before making any changes, I would recommend that you enable debug logging and check the log output to see if that provides some answers.

One probable explanation is that your server can’t find your users because the proxy is defaulting to look for AD attributes. Specifying the username_attribute on the client to the openLDAP attribute that holds your Duo usernames would resolve this issue.

This community thread deals with a similar issue and will further clarify how to troubleshoot in this situation.

I hope this helps, let me know if you have any further questions.

0 Helpful

Chayne
Level 1
Level 1

‎07-21-2022 01:18 AM

Hi ldubravec

Many thanks for your assistance.
What i did in the end was to add security_group_dn under the ad_client part
along with the two exempt entries

and i had to enroll my mobiles with the help of the authproxy.log file
but now i am receiving Duo prompts for my ldap sign ins

thank you for your direction

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents