cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8758
Views
1
Helpful
20
Replies

Directory Sync with idM

artemis1
Level 1
Level 1

Hi everyone,

Is is possible to add users (via Directory Sync) from RedHat idM (essentially FreeIPA)?

I have a team member who has completed the first 2 steps in Directory Sync (Directory Settings and DUO Authentication Proxy) but no groups are available in step 3 (Choose Groups). Instead we see “Note: 79 groups can’t be shown. Please upgrade your Duo Authentication Proxy to show all groups.”

We have the latest version of Duo Authentication Proxy (v2.7.0) installed and the debug log shows successful LDAP STARTTLS connections to our idM server with groups successfully returned.

20 Replies 20

After you make the change in 60basev2.ldif, you will need to run the following command to commit the schema change:

sudo ipa-ldap-updater -u -schema-file=/etc/dirsrv/slapd-CONTOSO-COM/schema/60basev2.ldif

Then run your ldapsearch command again with an addition sign at the end to retrieve the operational attributes:

ldapsearch -D uid=blahblah -w secret cn=testgroup entrydn entryuuid cn +

On a side note, we’ve observed some weirdness where the directory sync initially works but then on the periodic schedule (every 24 hours), the directory sync attempts to delete all LDAP accounts from Duo. I’m still trying to run down exactly what is going on. Our temp fix has been to disable the Duo authentication proxy service after the initial sync.

You may also need to login to the idM/FreeIPA web interface and navigate to IPA Server | Role Based Access Controls | Permissions | System: Read Groups where you can add “entrydn” under Target | Effective attributes.

@artemis Is it possible that the schema change isn’t persisting, so the group isn’t presenting the expected attributes at the next scheduled sync?

LDAP sync would put users into pending deletion if it thinks the synced group is no longer present in the source directory or was deleted from the configuration. Directory Sync - Troubleshooting and FAQ | Duo Security?

Duo, not DUO.

andrewm659
Level 1
Level 1

Did you put a RADIUS server in between to do the authentication to DUO? Redhat’s IdM provides a 2FA option built-in.

gudmmk
Level 1
Level 1

After spending a few hours today with getting Directory Sync working with IPA, then I decided to write down the steps I did to get this work with IPA 4.8.0, https://github.com/gudmmk/howtos/blob/master/duo_authproxy-with-freeipa.md

Thanks rgiles and artemis for pointing me to the right direction.

andrewm659
Level 1
Level 1

Did you set this up on the client machines or the FreeIPA server?

Quick Links