https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883133#M308 <DIV class="duo-migrated-content"><P>HI all</P> <P>Am hoping for a little advice</P> <P>I have recently setup our DNS server which uses openLDAP to connect to our Debian DuoProxy server to authenticate against the AD</P> <P>I have managed to get it to work but there is no 2fa Prompt(we are looking at making the DNS control panel accessible to the WEB and want to 2fa for added protection)</P> <P>When i add exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=Webnetism,DC=com<BR /> exempt_primary_bind=false</P> <P>it fails right away</P> <P>if i then delete the above lines or change<BR /> exempt_primary_bind=true it log in fine.</P> <P>my config is as follows</P> <P>[ad_client]<BR /> host=192.168.0.0(my ldap ad server ip)<BR /> service_account_username=duo_ldap<BR /> service_account_password=***********<BR /> search_dn=DC=AD,DC=example,DC=com</P> <P>[ldap_server_auto]<BR /> client=ad_client<BR /> ikey=*****************<BR /> skey=*****************<BR /> api_host=**********************<BR /> exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=example,DC=com<BR /> exempt_primary_bind=false<BR /> failmode=safe<BR /> port=389</P> <P>any advice would be greatly appreciated.</P></DIV> Wed, 20 Jul 2022 15:37:41 GMT Chayne 2022-07-20T15:37:41Z https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883133#M308 <DIV class="duo-migrated-content"><P>HI all</P> <P>Am hoping for a little advice</P> <P>I have recently setup our DNS server which uses openLDAP to connect to our Debian DuoProxy server to authenticate against the AD</P> <P>I have managed to get it to work but there is no 2fa Prompt(we are looking at making the DNS control panel accessible to the WEB and want to 2fa for added protection)</P> <P>When i add exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=Webnetism,DC=com<BR /> exempt_primary_bind=false</P> <P>it fails right away</P> <P>if i then delete the above lines or change<BR /> exempt_primary_bind=true it log in fine.</P> <P>my config is as follows</P> <P>[ad_client]<BR /> host=192.168.0.0(my ldap ad server ip)<BR /> service_account_username=duo_ldap<BR /> service_account_password=***********<BR /> search_dn=DC=AD,DC=example,DC=com</P> <P>[ldap_server_auto]<BR /> client=ad_client<BR /> ikey=*****************<BR /> skey=*****************<BR /> api_host=**********************<BR /> exempt_ou_1=CN=duo_ldap,OU=users,DC=AD,DC=example,DC=com<BR /> exempt_primary_bind=false<BR /> failmode=safe<BR /> port=389</P> <P>any advice would be greatly appreciated.</P></DIV> Wed, 20 Jul 2022 15:37:41 GMT https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883133#M308 Chayne 2022-07-20T15:37:41Z https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883134#M309 <DIV class="duo-migrated-content"><P>Hello Chayne, welcome to our Duo Community!</P> <P>I’m sorry to hear you’re having issues with the Duo prompt. Before making any changes, I would recommend that you enable <A href="https://help.duo.com/s/article/2953">debug logging</A> and check the log output to see if that provides some answers.</P> <P>One probable explanation is that your server can’t find your users because the proxy is defaulting to look for AD attributes. Specifying the <CODE>username_attribute</CODE> on the client to the openLDAP attribute that holds your Duo usernames would resolve this issue.</P> <P><A href="https://community.duo.com/t/nextcloud-using-auth-proxy-does-not-prompt-for-mfa/10304/2">This community thread</A> deals with a similar issue and will further clarify how to troubleshoot in this situation.</P> <P>I hope this helps, let me know if you have any further questions.</P></DIV> Wed, 20 Jul 2022 18:02:29 GMT https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883134#M309 ldubravec 2022-07-20T18:02:29Z https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883135#M310 <DIV class="duo-migrated-content"><P>Hi ldubravec</P> <P>Many thanks for your assistance.<BR /> What i did in the end was to add security_group_dn under the ad_client part<BR /> along with the two exempt entries</P> <P>and i had to enroll my mobiles with the help of the authproxy.log file<BR /> but now i am receiving Duo prompts for my ldap sign ins</P> <P>thank you for your direction</P></DIV> Thu, 21 Jul 2022 08:18:28 GMT https://community.cisco.com/t5/policy-access-control/ldap-with-linux-duoproxy-not-giving-2fa/m-p/4883135#M310 Chayne 2022-07-21T08:18:28Z