Protecting applications that use LDAP


#1

We have a set of application services that directly use an LDAP directory
for username/password authentication. We would like to insert MFA into
this process… is the Duo Access Gateway the tool we would use? Even
though I’ve generally reviewed the DAG documentation, I find it hard to
understand how it can work, such that end-users see the authentication
prompt after entering their username and password.

  • Gary Chapman, NYU IT

#2

The Duo Access Gateway is used with applications that support SAML 2.0 logins. These are typically cloud-based services.

You can add Duo authentication to almost any service that uses LDAP authentication with our generic LDAP application. You’d install the Duo Authentication proxy application on a local server, configure it to pass authentication requests to your LDAP directory, and then point the applications that use LDAP authentication to your new Duo proxy instead of directly to your LDAP directory server. When you users log into applications using the Duo proxy for authentication they’ll receive an automatic push or phone call as the second factor.

Full deployment instructions for Duo MFA for LDAP can be found here.


#3

Thanks. We have applications that do LDAP authentication, others that
use Active Directory for authentication, and a couple of services (CISCO-based VPN and
wireless) that use Radius.

Is it plausible to use the Duo authentication proxy for all three of these situations?

  • Gary

#4

Yes, all three are potentially possible.

For your applications that do LDAP authentication, you would point them to an Authentication proxy configured with Duo LDAP.

Applications that use AD may also be pointed to the Duo LDAP application on the Authentication Proxy. If this AD directory is not the same one that the LDAP applications use, you can specify multiple LDAP authentication sources in the proxy config, and then multiple [ldap_server_auto] sections to use the different auth sources (if you wanted to power everything from just one Duo server - you could also have multiple Duo proxy servers for your different directories).

And finally, you can run RADIUS and LDAP listeners simultaneously on the same Authentication Proxy server as long as there is no port overlap (which is unlikely if you follow the port conventions for those protocols). Here are instructions for Cisco SSL VPN using RADIUS.

You may want to also review the full Duo Authentication Proxy Reference to see all the options.


#5

It should be noted that the LDAP Proxy is not a complete implementation. Various LDAP aware applications that work fine with Active Directory do not work with the proxy (such as ConnectWise).