03-08-2019 01:26 PM
I’m getting this error while trying to authentication to my Duo Auth LDAP Proxy. tcpdump on my firewall shows there is no communication happening with api-xxxxx-duosecurity dot com. Is this an error message due to the same problem as https://help.duo.com/s/article/4292 ?
2019-03-08T15:19:18-0600 [-] Duo Security Authentication Proxy 2.14.0 - Init Complete
2019-03-08T15:19:24-0600 [duoauthproxy.modules.ad_client._ADServiceClientFactory#info] Starting factory <duoauthproxy.modules.ad_client._ADServiceClientFactory object at 0x7f0cdf0d0390>
2019-03-08T15:19:24-0600 [stdout#info] BERDecoderContext has no tag 0x16: <L■■■■_TopLevel identities={0x10: LDAPMessage} fallback=None inherit=<L■■■■_LDAPMessage identities={0x80: LDAPControls, 0x53: L■■■■ence} fallback=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None> inherit=<L■■■■ identities={0x40: LDAPBindRequest, 0x41: LDAPBindResponse, 0x42: LDAPUnbindRequest, 0x43: LDAPSearchRequest, 0x44: L■■■■, 0x45: LDAPSearchResultDone, 0x46: LDAPModifyRequest, 0x47: LDAPModifyResponse, 0x48: LDAPAddRequest, 0x49: LDAPAddResponse, 0x4a: LDAPDelRequest, 0x4b: LDAPDelResponse, 0x4c: LDAPModifyDNRequest, 0x4d: LDAPModifyDNResponse, 0x50: LDAPAbandonRequest, 0x83: LDAPReferral, 0x57: LDAPExtendedRequest, 0x58: LDAPExtendedResponse} fallback=<BERDecoderContext identities={0x01: BERBoolean, 0x02: BERInteger, 0x04: BEROctetString, 0x05: BERNull, 0x0a: BEREnumerated, 0x10: BERSequence, 0x11: BERSet} fallback=None inherit=None> inherit=None>>>
2019-03-08T15:19:24-0600 [Uninitialized] Connection made between client: 192.168.1.3:33188 and the server section listening via 192.168.1.39:389.
2019-03-08T15:19:24-0600 [-] C->S LDAPMessage(id=1, value=LDAPStartTLSRequest())
2019-03-08T15:19:24-0600 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=1L, value=LDAPExtendedResponse(resultCode=0L))
03-12-2019 07:04 AM
Different LDAP tag, but same root cause. The tag is not supported by the Duo proxy.
03-13-2019 05:52 AM
Thanks for the info but it does kinda block our rollout. Would it be helpful to offer some debug info from our appliance/proxy to help troubleshoot or remedy the unsupported tag? We really like what we’ve seen of Duo so far.
03-14-2019 06:52 AM
No, we know what the tag is, and it’s not supported today. You could consult with your application vendor to see if there are configurable options for authentication that maybe don’t rely IA5. You could also reach out to your Duo AE or SE (if one is helping you with your rollout) ot to Duo Support to submit a feature request for additional tag support.
03-14-2019 07:38 AM
Will do, thanks for the info.
08-14-2019 10:18 AM
For anybody that runs across this – I got this error but was a red herring. Turns out it can happen with a LDAPS connection to a LDAP (no S proxy instance).
I was halfway into implementing it in the twisted/ldaptor library before I realized it…
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide