Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8855
Views
1
Helpful
20
Replies

Directory Sync with idM

artemis1
Level 1
Level 1

‎02-12-2018 12:14 PM

Hi everyone,

Is is possible to add users (via Directory Sync) from RedHat idM (essentially FreeIPA)?

I have a team member who has completed the first 2 steps in Directory Sync (Directory Settings and DUO Authentication Proxy) but no groups are available in step 3 (Choose Groups). Instead we see “Note: 79 groups can’t be shown. Please upgrade your Duo Authentication Proxy to show all groups.”

We have the latest version of Duo Authentication Proxy (v2.7.0) installed and the debug log shows successful LDAP STARTTLS connections to our idM server with groups successfully returned.

Labels:
0 Helpful
20 Replies 20

artemis1
Level 1
Level 1
In response to Chris_Byron

‎04-18-2018 12:01 PM

After you make the change in 60basev2.ldif, you will need to run the following command to commit the schema change:

sudo ipa-ldap-updater -u -schema-file=/etc/dirsrv/slapd-CONTOSO-COM/schema/60basev2.ldif

Then run your ldapsearch command again with an addition sign at the end to retrieve the operational attributes:

ldapsearch -D uid=blahblah -w secret cn=testgroup entrydn entryuuid cn +

On a side note, we’ve observed some weirdness where the directory sync initially works but then on the periodic schedule (every 24 hours), the directory sync attempts to delete all LDAP accounts from Duo. I’m still trying to run down exactly what is going on. Our temp fix has been to disable the Duo authentication proxy service after the initial sync.

artemis1
Level 1
Level 1
In response to artemis1

‎04-18-2018 12:05 PM

You may also need to login to the idM/FreeIPA web interface and navigate to IPA Server | Role Based Access Controls | Permissions | System: Read Groups where you can add “entrydn” under Target | Effective attributes.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to artemis1

‎04-18-2018 12:58 PM

@artemis Is it possible that the schema change isn’t persisting, so the group isn’t presenting the expected attributes at the next scheduled sync?

LDAP sync would put users into pending deletion if it thinks the synced group is no longer present in the source directory or was deleted from the configuration. Directory Sync - Troubleshooting and FAQ | Duo Security?

Duo, not DUO.
0 Helpful

andrewm659
Level 1
Level 1

‎11-25-2019 12:02 PM

Did you put a RADIUS server in between to do the authentication to DUO? Redhat’s IdM provides a 2FA option built-in.

0 Helpful

gudmmk
Level 1
Level 1

‎04-20-2020 01:01 PM

After spending a few hours today with getting Directory Sync working with IPA, then I decided to write down the steps I did to get this work with IPA 4.8.0, https://github.com/gudmmk/howtos/blob/master/duo_authproxy-with-freeipa.md

Thanks rgiles and artemis for pointing me to the right direction.

0 Helpful

andrewm659
Level 1
Level 1

‎05-17-2021 10:23 AM

Did you set this up on the client machines or the FreeIPA server?

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents