09-17-2021 08:37 AM
HI I have an Auth proxy setup and 2 of my applications work great.
My LDAP is jumpcloud.
When I configure nextcloud to use the proxy as the LDAP backend the uid password get checked properly but I do not get DUO PUSH notifications and I just get logged-in without that.
The same accounts get MFA challenged when logging into the other 2 application that use the proxy.
I have debug turned on and I see the LDAPBind request for the account in question but no messages like bypassing MFA for account X.
Help!
Thank you
Solved! Go to Solution.
09-20-2021 09:04 AM
Do you see a message like Primary bind exempted from 2FA
in the debug log for BOTH the LDAP binds as the service account AND then binds as the end user accounts? It might be that your application binds and searches as the service account for the user, disconnects, then binds again as the end user. (Scenario 24 in this article).
By default the Duo proxy skips MFA for the first bind in a connection (assuming that’s the service account, not the user).
To fix this you’d need to change the proxy config to always require MFA for the first bind in a connection, and then exempt the service account from MFA. You do that with a config like this…
[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever
09-20-2021 09:04 AM
Do you see a message like Primary bind exempted from 2FA
in the debug log for BOTH the LDAP binds as the service account AND then binds as the end user accounts? It might be that your application binds and searches as the service account for the user, disconnects, then binds again as the end user. (Scenario 24 in this article).
By default the Duo proxy skips MFA for the first bind in a connection (assuming that’s the service account, not the user).
To fix this you’d need to change the proxy config to always require MFA for the first bind in a connection, and then exempt the service account from MFA. You do that with a config like this…
[ldap_server_auto]
ikey=nnn
skey=nnn
api_host=nnn
client=ad_client
exempt_primary_bind=false
exempt_ou_1=CN=yourldaplookupaccount,OU=whateverthednis,DC=yourdomain,DC=whatever
09-22-2021 09:38 AM
Thank you that got me further along!
Now Nextcloud is prompting me every 5 minutes…
But I get a DUO challenge now
Thank you again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide