07-02-2021 07:41 AM
I have integrated DUO proxy with FreeIPA, however I’m not able to allow a specific group to bypass the DUO as consequence I need to add user by user as exception, is there any way for that? According documentation I could inform the group as exempt_ou but it doesn’t work
I tried:
exempt_ou_1=(memberOf=cn=test,cn=groups,cn=accounts,dc=example,dc=com)
and also:
exempt_ou_1=cn=test,cn=groups,cn=accounts,dc=example,dc=com
At Freeipa, the groups start with cn not OU.
Does anyone know how to proceed on this case?
Thank you
Solved! Go to Solution.
07-07-2021 09:25 AM
You cannot specify the DN of a group as the value for exempt_ou_1
. It can be the DN of a single user or an entire OU/container. This is stated in the documentation of the exempt_ou
option in the Authentication Proxy Reference here. There is no way to specify a group of users to bypass in the Authentication Proxy configuration.
Some alternative methods of accomplishing this is if you create the group and users in Duo and set it to Bypass, or you could set the New User Policy to allow unenrolled users access without 2FA and then only enroll the users that you want to use 2FA in Duo.
07-07-2021 09:25 AM
You cannot specify the DN of a group as the value for exempt_ou_1
. It can be the DN of a single user or an entire OU/container. This is stated in the documentation of the exempt_ou
option in the Authentication Proxy Reference here. There is no way to specify a group of users to bypass in the Authentication Proxy configuration.
Some alternative methods of accomplishing this is if you create the group and users in Duo and set it to Bypass, or you could set the New User Policy to allow unenrolled users access without 2FA and then only enroll the users that you want to use 2FA in Duo.
07-07-2021 09:47 AM
well, Freeipa doesn’t have OU, so the exception for a group will not work at proxy level, I would need to add one by one using DN…
Thanks for the info, I’ll look forward to create groups and users in duo for bypass.
07-07-2021 09:51 AM
~FreeIPA does have containers though, and you should be able to specify the DN of a container as the exempt_ou
.~
Actually I did some more reading and this might not be possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide