Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1483
Views
0
Helpful
2
Replies

Nextcloud using auth proxy does not prompt for MFA

Go to solution
slyler
Level 1
Level 1

‎09-17-2021 08:37 AM

HI I have an Auth proxy setup and 2 of my applications work great.

My LDAP is jumpcloud.

When I configure nextcloud to use the proxy as the LDAP backend the uid password get checked properly but I do not get DUO PUSH notifications and I just get logged-in without that.

The same accounts get MFA challenged when logging into the other 2 application that use the proxy.

I have debug turned on and I see the LDAPBind request for the account in question but no messages like bypassing MFA for account X.

Help!
Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎09-20-2021 09:04 AM

Do you see a message like Primary bind exempted from 2FA in the debug log for BOTH the LDAP binds as the service account AND then binds as the end user accounts? It might be that your application binds and searches as the service account for the user, disconnects, then binds again as the end user. (Scenario 24 in this article).

By default the Duo proxy skips MFA for the first bind in a connection (assuming that’s the service account, not the user).

To fix this you’d need to change the proxy config to always require MFA for the first bind in a connection, and then exempt the service account from MFA. You do that with a config like this…

[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever
Duo, not DUO.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎09-20-2021 09:04 AM

Do you see a message like Primary bind exempted from 2FA in the debug log for BOTH the LDAP binds as the service account AND then binds as the end user accounts? It might be that your application binds and searches as the service account for the user, disconnects, then binds again as the end user. (Scenario 24 in this article).

By default the Duo proxy skips MFA for the first bind in a connection (assuming that’s the service account, not the user).

To fix this you’d need to change the proxy config to always require MFA for the first bind in a connection, and then exempt the service account from MFA. You do that with a config like this…

[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever
Duo, not DUO.
0 Helpful

Go to solution
slyler
Level 1
Level 1
In response to DuoKristina

‎09-22-2021 09:38 AM

Thank you that got me further along!
Now Nextcloud is prompting me every 5 minutes…
But I get a DUO challenge now

Thank you again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents