Nextcloud, LDAP, Duo Integration - Help


#1

I have been battling nextcloud/duo for the past two weeks and am feeling beyond hopeless at this point. My bosses have given me a series of requirements: Get Nextcloud installed into our network, and integrate Duo onto it. We have individuals we occasionally contract out into SCIFs so Duo needs to play with the hardware tokens as an option for those that can’t push to their phone for 2FA.

Some people may suggest using another platform in either department. My company is insisting on needing Nextcloud. It is a solution for large data transfers (to large for email) between our contracting companies that doesn’t require them needing accounts into our network. Duo is something we are to far invested into at this point to just start buying some other companies hardware tokens or to just swap 2FA providers. My company choose to go with them to meet 2FA for NIST reasons prior to me being employed and has it integrated in nearly everything at this point as well as purchasing their hardware tokens…

My current setup is the Duo LDAPS Proxy which is working great except for 1 small factor. I log into Nextcloud with my Active Directory (AD) account which is configured to push to my DUO LDAP proxy. The Proxy authenticates to the Active Directory and if accepted, pushes to Duo for a auto-push or hardware token acceptance if the password had the delimiter. When user accepts (or if hardware token is correct) duo accepts and sends back to proxy which sends back to Nextcloud.

This is all functioning correctly. The 1 small factor is that after I log in, it apparently periodically re-requests authorization. So I will be working within Nextcloud and all the sudden get a prompt for Duo from the LDAP proxy. It will not load the file/page until I accept. This leads me to believe that nextcloud is resending authorization packets periodically which triggers the whole authentication process again, and since the user has no option to add a delimiter on the auto authentication, it auto-pushes to the phone. Which is an issue for SCIF people. They can’t re-authenticate and therefore will be kicked off.

Is there any way of configuring Duo to not push when Nextcloud sends the LDAP re-authorization until the user logs off or for XX minutes? I see that it can be done for web browsers if DUO played with Nextcloud (which i cant get it to hence the LDAP proxy route). Or is there a way to use the LDAP proxy for initial login and the actual AD for re-authentication requests?

(This is a cross post from Nextcloud community – https://help.nextcloud.com/t/nextcloud-ldap-and-duo-help/30358)


#2

There is no timeout or maxtime you can specify in Duo for the lifetime of an LDAP authentication via the proxy. The Duo authentication proxy server simply reacts to whatever request it receives from the authenticating application (Nextcloud).

Do you know what kind of LDAP operation Nextcloud is doing when it is reauthenticating? Is it trying to do an LDAP search (like, the user has done something in Nextcloud that may require a privilege check so it requests the user’s LDAP group memberships)? Or, is it that Nextcloud reaches some session timeout and requires authentication for the user to continue working?

For the former scenario, the allow_searches_after_bind option may help you. See Duo Authentication Proxy Reference | Duo Security for more about this option.

Also, it looks like Nextcloud supports SAML SSO. You can deploy an SSO solution with Duo (like our own Duo Access Gateway or AD FS with the Duo MFA plugin) and point Nextcloud to that. Duo’s Remembered Devices policy setting works with the Duo browser-prompt, so you can specify a period where additional MFA prompts aren’t required.


#3

Thanks for your help!

That actions have varied for what triggers the reauthentication prompts. I’ve been in admin sessions changing themes, testing the folders/data access, browsing through apps. I haven’t been able to pin point the exact reason but after some research I believe it’s related to PHP normal functions. I tried playing with the cache settings on nextcloud but didn’t notice a difference. I’ve also tested that search after bind setting as well as the other setting right under it, no difference there either. I think it’s a bit of mix between rights assessment and timeouts because I’ve gotten as many as 5 prompts back to back.

I saw nextcloud supported single sign in and didn’t realize duo provided a gateway for it! This might be my solution! I’m going to look into that route. Thank you!