06-24-2021 09:40 AM
I’m trying to get the securty_group_dn portion of the auth proxy working, but as soon as I add it, my test user stops working. My AD configuration is very simple but I’ve also tried adding an OU with a group under it and that does not work either. I’m connecting/testing via a sonicwall TZ.
Here is what I use:
Security Group under the Users OU called “VPNUsers”
search_dn=DC=mydomain,DC=local
I’ve tried all of the following:
security_group_dn=CN=VPNUsers,OU=Users,DC=mydomain,DC=local
security_group_dn=CN=VPNUsers,OU=Groups,DC=mydomain,DC=local - per the example, but assumed groups was not needed
security_group_dn=CN=VPNUsers,DC=mydomain,DC=local
I then created a “Security Groups” OU and a group under that called “VPN Users” and tried the below.
security_group_dn=“CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local”
If I remove the security_group_dn line, auth happens perfectly, I get the push etc.
Solved! Go to Solution.
06-24-2021 12:00 PM
So I did get this working, but not how I really want it to.
Found everywhere when I searched, anytime the OU or CN etc had a space, the config file had the string in quotes. I removed the quotes to the line below, and now it’s working. I remove user from the group, auth fails. I add user to group, auth success.
security_group_dn=CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local
06-24-2021 11:05 AM
The DN you specify for the value of security_group_dn
should be the actual DN of the group whose members you want to permit access, whatever it actually is. If the VPNUsers
group was not in a Groups
OU, you would not add OU=Groups
to the group’s DN.
security_group_dn=CN=VPNUsers,OU=Users,DC=mydomain,DC=local
= the VPNUsers
group is in the default Users
container at the root of the domain.
security_group_dn=CN=VPNUsers,OU=Groups,DC=mydomain,DC=local
= the VPNUsers
group is in a Groups
OU at the root of the domain.
security_group_dn=CN=VPNUsers,DC=mydomain,DC=local
= the VPNUsers
group is at the root of the domain, not within a named OU or container.
Is your test user a direct member of the VPNUsers
or VPN Users
group (whichever group DN you specified)? Take a look at the authentication proxy log to see what is happening, enabling debug logging and trying to auth as the test user again for even more information.
06-24-2021 11:18 AM
This is what debug tells me. Basically says it can’t find it. I’m looking right at it in AD Users and Computers, even copy/pasted to make sure I wasn’t typing it incorrectly etc.
2021-06-24T14:13:43.803579-0400 [_ADAuthClientProtocol (TLSMemoryBIOProtocol),client] C->S LDAPMessage(id=3, value=LDAPSearchRequest(baseObject=‘CN=VPNUsers,OU=Users,DC=mydomain,DC=local’, scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value=‘objectClass’), attributes=(‘objectsid’,)), controls=None)
2021-06-24T14:13:43.819178-0400 [_ADAuthClientProtocol (TLSMemoryBIOProtocol),client] C<-S LDAPMessage(id=3, value=LDAPSearchResultDone(resultCode=32, matchedDN=‘DC=mydomain,DC=local’, errorMessage=“0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:\n\t’DC=mydomain,DC=local’\n\x00”), controls=None)
2021-06-24T14:13:43.819178-0400 [duoauthproxy.lib.log#info] Tried to search security group DN for object sid but it could not be found. Falling back to just checking memberOf. Error: CN=VPNUsers,OU=Users,DC=mydomain,DC=local could not be found
06-24-2021 12:00 PM
So I did get this working, but not how I really want it to.
Found everywhere when I searched, anytime the OU or CN etc had a space, the config file had the string in quotes. I removed the quotes to the line below, and now it’s working. I remove user from the group, auth fails. I add user to group, auth success.
security_group_dn=CN=VPN Users,OU=Security Groups,DC=mydomain,DC=local
06-24-2021 12:04 PM
So I did get this working
Good! Yes, no quotes needed in the DN; if your log output had reflected this I could have called that out.
but not how I really want it to…
I remove user from the group, auth fails. I add user to group, auth success.
This is exactly what it is supposed to do.
06-24-2021 12:06 PM
Yeah, this is what I want it to do. I just wanted to not have to use a separate OU with a security group under it. For some reason, it will not validate group membership if the group is under the Built-In Users OU. I tried everything including copying the DN directly from the ldp program on my domain controller.
06-24-2021 12:56 PM
it will not validate group membership if the group is under the Built-In Users OU
This isn’t expected and I just verified that it works (I created the group group
in the Users
container).
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=6, value=LDAPSearchRequest(baseObject='CN=group,CN=Users,DC=acme,DC=local', scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value='objectClass'), attributes=('objectsid',)), controls=None)
2021-06-24T19:53:42.757778+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=6, value=L■■■■■■■■■■■■■■■■■■■■(objectName='CN=group,CN=Users,DC=acme,DC=local', attributes=[('objectSid', [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00]A\x92\xe7\xda^\x8f\x963cd:w\xb6\x00\x00'])]), controls=None)
2021-06-24T19:53:42.757778+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=6, value=LDAPSearchResultDone(resultCode=0), controls=None)
06-24-2021 12:58 PM
When I did that with CN=VPNUsers,CN=Users it was allowing auth no matter if they were in the VPNUsers group or not. I assume it’s matching on Users.
06-24-2021 01:07 PM
Hmm, I would suggest you look at your config again because it works as I expect when I try a user not in the group and the group located in the built-in Users
container.
I took myself (kristina
) out of my group
group and am denied as expected (no search result when it tries to match on memberof
).
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=11, value=LDAPSearchRequest(baseObject='CN=group,CN=Users,DC=acme,DC=corp', scope=0, derefAliases=0, sizeLimit=1, timeLimit=0, typesOnly=0, filter=LDAPFilter_present(value='objectClass'), attributes=('objectsid',)), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=11, value=L■■■■■■■■■■■■■■■■■■■■(objectName='CN=group,CN=Users,DC=acme,DC=corp', attributes=[('objectSid', [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00]A\x92\xe7\xda^\x8f\x963cd:w\xb6\x00\x00'])]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=11, value=LDAPSearchResultDone(resultCode=0), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C->S LDAPMessage(id=12, value=LDAPSearchRequest(baseObject='dc=acme,dc=corp', scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='sAMAccountName'), assertionValue=LDAPAssertionValue(value='kristina'))]), LDAPFilter_or(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='memberof'), assertionValue=LDAPAssertionValue(value='CN=group,CN=Users,DC=acme,DC=corp')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='primarygroupid'), assertionValue=LDAPAssertionValue(value='46711'))]), LDAPFilter_or(value=[LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='user')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectCategory'), assertionValue=LDAPAssertionValue(value='person'))]), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='inetOrgPerson')), LDAPFilter_equalityMatch(attributeDesc=L■■■■■■■■■■■■■■■■■■■■ion(value='objectClass'), assertionValue=LDAPAssertionValue(value='organizationalPerson'))])]), attributes=('msds-PrincipalName',)), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#info] Got signature length 60
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://ForestDnsZones.acme.corp/DC=ForestDnsZones,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://DomainDnsZones.acme.corp/DC=DomainDnsZones,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=L■■■■■■■■■■■■■■■■■■■■ence(uris=[LDAPString(value='ldap://acme.corp/CN=Configuration,DC=acme,DC=corp')]), controls=None)
2021-06-24T19:58:49.038006+0000 [_ADAuthClientProtocol,client] C<-S LDAPMessage(id=12, value=LDAPSearchResultDone(resultCode=0), controls=None)
2021-06-24T19:58:49.038006+0000 [duoauthproxy.lib.log#error] Could not find user with username: kristina. It's possible this user does not exist or did not match your configured security filters.
Also might be worth pointing out that the group DN in the example log output you shared isn’t valid:
value=LDAPSearchRequest(baseObject=‘CN=VPNUsers,OU=Users,DC=mydomain,DC=local’,
It should have been CN=Users
and not OU=Users
if this is intended to be the AD built-in Users
container.
06-24-2021 01:08 PM
Correct, I found this out when copying the data from ldp on my domain controller. I’ll give it another shot and report back.
06-24-2021 01:11 PM
OK, cool. You can also see the distinguishedName
attribute value from ADUC on the object’s properties Attribute Editor tab if you go to View > Advanced Features (if you get tired of switching between ADUC and LDP).
06-24-2021 01:14 PM
So things are working as expected now. I’m not exactly sure what it was that was blocking it, but it’s fixed and I can copy/reproduce this now without much effort. Thanks for the sanity check and assistance.
06-24-2021 01:17 PM
Glad you got it working!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide