cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
4
Replies

pointing ldap server to multiple ad clients

kazzb
Level 1
Level 1

Hi,

We are using DUO MFA for our user VPN connections. We have 3 domain controllers (1 on prem, 1 in DR and 1 in Azure)

We have 2 DUO Auth clients running on 2 separate servers, each config file is pointing to all 3 domain controllers. 
However our LDAP server is only pointing to 1 ad client. Is there a way to let LDAP server try all 3 AD clients in sequence in the event one of the DCs is down the connection to the next one would be successful ?
I have relevant portion of the config posted below.

[ad_client]
host=10.1.1.10
*** REST OF THE CONFIG NOT SHOWN*****

[ad_client2]
host=10.1.20.10
*** REST OF THE CONFIG NOT SHOWN*****

[ad_client3]
host=10.1.21
*** REST OF THE CONFIG NOT SHOWN*****

[ldap_server_auto]
ikey=AI4D2NIDOJK13LO57WA0
skey=sqKSHXxFqimTOv6DUZ7xwY2Qm164B2XNtwiNE6mv
api_host=api-137a49ce.duosecurity.com
client=ad_client
failmode=safe
exempt_primary_bind=false
exempt_ou_1=cn=Administrator,cn=Users,dc=example,dc=com

Thanks 

 

1 Accepted Solution

Accepted Solutions

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @kazzb,

If I understood your setup correctly, all three domain controllers are part of the same domain, and you just have more of them for redundancy. If that is the case, then your configuration doesn't reflect that.

Instead of having ad_client, ad_client2 and ad_client3, you should have only ad_client, and inside have host, host_2 and host_3 configuration:

[ad_client]
host=10.1.1.10
host_2=10.1.20.10
host_3=10.1.21

In that case, reference under your [ldap_server_auto] section is enough and configured just as it should be, as it is simply a reference to different definiton.

You can take a look at Duo documentation, which explains these things.

Kind regards,

Milos

View solution in original post

4 Replies 4

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @kazzb,

If I understood your setup correctly, all three domain controllers are part of the same domain, and you just have more of them for redundancy. If that is the case, then your configuration doesn't reflect that.

Instead of having ad_client, ad_client2 and ad_client3, you should have only ad_client, and inside have host, host_2 and host_3 configuration:

[ad_client]
host=10.1.1.10
host_2=10.1.20.10
host_3=10.1.21

In that case, reference under your [ldap_server_auto] section is enough and configured just as it should be, as it is simply a reference to different definiton.

You can take a look at Duo documentation, which explains these things.

Kind regards,

Milos

This is correct if the three domain controllers are joined to the same domain.

If the three domain controllers are joined to different domains in the same forest. an option for the ad_client config is to point to a domain controller in the forest root and specify one of the global catalog ports 3268 or 3269 and the base DN for the forest.

If the domain controllers are in different forests, there is no way to have a configured server section cascade through multiple ad_client sections until one succeeds for authenticating a user. Please contact your Duo account exec or customer success manager, or contact Duo Support, and request to be added to the feature request for this.

This Duo KB article might help you: https://help.duo.com/s/article/1426

Duo, not DUO.

@DuoKristina 

Yeah, all 3 domains are a part of the same forest and same domain. 

Milos,

Thank you for providing the config settings we were looking for!

Quick Links