02-12-2018 12:14 PM
Hi everyone,
Is is possible to add users (via Directory Sync) from RedHat idM (essentially FreeIPA)?
I have a team member who has completed the first 2 steps in Directory Sync (Directory Settings and DUO Authentication Proxy) but no groups are available in step 3 (Choose Groups). Instead we see “Note: 79 groups can’t be shown. Please upgrade your Duo Authentication Proxy to show all groups.”
We have the latest version of Duo Authentication Proxy (v2.7.0) installed and the debug log shows successful LDAP STARTTLS connections to our idM server with groups successfully returned.
04-18-2018 12:01 PM
After you make the change in 60basev2.ldif
, you will need to run the following command to commit the schema change:
sudo ipa-ldap-updater -u -schema-file=/etc/dirsrv/slapd-CONTOSO-COM/schema/60basev2.ldif
Then run your ldapsearch command again with an addition sign at the end to retrieve the operational attributes:
ldapsearch -D uid=blahblah -w secret cn=testgroup entrydn entryuuid cn +
On a side note, we’ve observed some weirdness where the directory sync initially works but then on the periodic schedule (every 24 hours), the directory sync attempts to delete all LDAP accounts from Duo. I’m still trying to run down exactly what is going on. Our temp fix has been to disable the Duo authentication proxy service after the initial sync.
04-18-2018 12:05 PM
You may also need to login to the idM/FreeIPA web interface and navigate to IPA Server | Role Based Access Controls | Permissions | System: Read Groups
where you can add “entrydn” under Target | Effective attributes
.
04-18-2018 12:58 PM
@artemis Is it possible that the schema change isn’t persisting, so the group isn’t presenting the expected attributes at the next scheduled sync?
LDAP sync would put users into pending deletion if it thinks the synced group is no longer present in the source directory or was deleted from the configuration. Directory Sync - Troubleshooting and FAQ | Duo Security?
11-25-2019 12:02 PM
Did you put a RADIUS server in between to do the authentication to DUO? Redhat’s IdM provides a 2FA option built-in.
04-20-2020 01:01 PM
After spending a few hours today with getting Directory Sync working with IPA, then I decided to write down the steps I did to get this work with IPA 4.8.0, https://github.com/gudmmk/howtos/blob/master/duo_authproxy-with-freeipa.md
Thanks rgiles and artemis for pointing me to the right direction.
05-17-2021 10:23 AM
Did you set this up on the client machines or the FreeIPA server?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide