06-10-2019 11:46 AM
Hi all
I have a working OpenLDAP server with an username nrey
. I also have two servers that authenticate against OpenLDAP: one is just a Linux machine whose does ssh auth with OpenLDAP, other is an OpenVPN server. Both works perfect using user/pass authentication.
I’ve configured Duo auth proxy for LDAP
[ad_client]
host=127.0.0.1
service_account_username=cn=admin,dc=company,dc=io
bind_dn=ou=people,dc=company,dc=io
auth_type=plain
service_account_password=123
search_dn=ou=people,dc=company,dc=io
username_attribute=uniqueMember
ssl_verify_hostname=false
[ldap_server_auto]
ikey=xxx
skey=xxx
api_host=xxx
client=ad_client
interface=10.0.11.250
Openldap listens on localhost:389
Auth-proxy listens on 10.0.11.250
This is theslapd log output when trying to login on the Linux ssh client:
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 fd=14 ACCEPT from IP=127.0.0.1:44536 (IP=127.0.0.1:389)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=0 BIND dn="cn=admin,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=0 BIND dn="cn=admin,dc=company,dc=io" mech=SIMPLE ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=0 RESULT tag=97 err=0 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=1 SRCH base="dc=company,dc=io" scope=2 deref=0 filter="(uid=nrey)"
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 BIND anonymous mech=implicit ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 BIND dn="uid=nrey,ou=people,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 BIND dn="uid=nrey,ou=people,dc=company,dc=io" mech=SIMPLE ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 op=2 RESULT tag=97 err=0 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 fd=15 ACCEPT from IP=127.0.0.1:44538 (IP=127.0.0.1:389)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 op=0 BIND dn="ou=people,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 op=0 RESULT tag=97 err=49 text=
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1183 fd=15 closed (connection lost)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1182 fd=14 closed (connection lost)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 fd=14 ACCEPT from IP=127.0.0.1:44540 (IP=127.0.0.1:389)
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 op=0 BIND dn="cn=admin,dc=company,dc=io" method=128
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 op=0 BIND dn="cn=admin,dc=company,dc=io" mech=SIMPLE ssf=0
Jun 10 18:43:53 ip-10-0-11-250 slapd[15533]: conn=1184 op=0 RESULT tag=97 err=0 text=
Jun 10 18:43:54 ip-10-0-11-250 slapd[15533]: conn=1184 fd=14 closed (connection lost)
Password is OK and tested, user exists:
ldapsearch -x -LLL -b "uid=nrey,ou=people,dc=company,dc=io" "(uid=nrey)"
dn: uid=nrey,ou=people,dc=company,dc=io
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
cn: Nicolas
sn: Rey
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/nrey
uid: nrey
What am I missing?
06-11-2019 12:37 PM
What’s happening on the Duo authentication proxy server during the auth attempt? Try enabling debug logging and observe the LDAP binds, searches, and results.
Also, you’ve set username_attribute=uniqueMember
in your authproxy.cfg
… did you mean to set username_attribute=uid
? Isn’t uniqueMember
a group attribute?
06-12-2019 06:51 AM
Thanks Kristina. I’ve solved the issue, just a bad bind_dn
(-:
06-12-2019 07:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide