Nextcloud using auth proxy does not prompt for MFA

HI I have an Auth proxy setup and 2 of my applications work great.

My LDAP is jumpcloud.

When I configure nextcloud to use the proxy as the LDAP backend the uid password get checked properly but I do not get DUO PUSH notifications and I just get logged-in without that.

The same accounts get MFA challenged when logging into the other 2 application that use the proxy.

I have debug turned on and I see the LDAPBind request for the account in question but no messages like bypassing MFA for account X.

Help!
Thank you

Do you see a message like Primary bind exempted from 2FA in the debug log for BOTH the LDAP binds as the service account AND then binds as the end user accounts? It might be that your application binds and searches as the service account for the user, disconnects, then binds again as the end user. (Scenario 24 in this article).

By default the Duo proxy skips MFA for the first bind in a connection (assuming that’s the service account, not the user).

To fix this you’d need to change the proxy config to always require MFA for the first bind in a connection, and then exempt the service account from MFA. You do that with a config like this…

[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever

Thank you that got me further along!
Now Nextcloud is prompting me every 5 minutes…
But I get a DUO challenge now

Thank you again