Solved: Re: Using DUO auth Proxy to add MFA to LDAPS

mikeulkeul · ‎08-14-2025

Hello, I'm trying to use duo Auth Proxy https://duo.com/docs/authproxy-reference
and more specifically this : Duo Two-Factor Authentication for LDAP Applications | Duo Security

to do the following :

current situation : Login to the admin page of my app with user / password against on-premise LDAPS (Windows) server
target situation : Login to the admin page of my app with user / "password + delimiter + duo_TOTP_of_user" against dedicated on premise virtual machine running duo auth proxy, that will itself use my LDAPS server for the primary auth

My current setup is the following :

[main]
debug=true

[ad_client]
host=ldaps_srv.domain.dom
service_account_username=svc_xxxx_ldaps
service_account_password=xxxxxxx
username_attribute=sAMAccountName
transport=ldaps
search_dn=OU=ADMINS,OU=Comptes administrateurs,OU=Utilisateurs,DC=domain,DC=dom
ssl_ca_certs_file=/etc/ssl/certs/ca-bundle.crt

[ldap_server_auto]
ikey=DILxxxxx
skey=Snvxxxx
api_host=apixxxxx.duosecurity.com
client=ad_client
port=3890
exempt_primary_bind=false
failmode=safe

the connectivity tool do not display any issue, everything is in green, including the binding to LDAPS server

yet when I perform a ldapsearch I get a bind error :

root@poc_machine:/home/user/duoauthproxy-6.5.2-src/duoauthproxy-build]# ldapsearch -x -H ldap://localhost:3890 -D "test-account-adm" -W -b "OU=ADMINS,OU=Comptes administrateurs,OU=Utilisateurs,DC=domain,DC=dom"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090527, comment: AcceptSecurityContext error, data 52e, v4563

=> now it says the ldap_bind is not working..

has anyone tried to achieve what I want and could help me add/correct configuration fileds ? i'm pretty sure i'm missing something regarding the syntax; creds are definitely OK.

Regards,
Mike

mikeulkeul · ‎08-14-2025

Hello, sorry i've been busy correcting it with some help, here are the issues I was facing :
- not using the same service account for binding in my client application (it corrected the issue I created this thread for)
- configuration of application in duo portal was missing : enable for all users
- configuration of policy (global in my case since its a POV/POC) : allow passcodes (tick)

I will mark this as solved.

View solution in original post

Jonatan Jonasson · ‎08-14-2025

Since you're using ldaps, does the bundle file include either the certs of the ldaps_srv.domain.dom or the intermediate/root if applicable?

In my experience this is usually straight forward, and most common issues have either been certificate related or typo in the bind path.

Does the same, identical, ldapsearch command works when you test directly to AD (using ofcourse the correct hostname and port) ?

I would recommend you take a look at the duo auth proxy log file to see if you can identify errors when Duo auth proxy is communicating to ad via ldaps.

---
Please mark helpful answers & solutions
---

mikeulkeul · ‎08-14-2025

Hello, sorry i've been busy correcting it with some help, here are the issues I was facing :
- not using the same service account for binding in my client application (it corrected the issue I created this thread for)
- configuration of application in duo portal was missing : enable for all users
- configuration of policy (global in my case since its a POV/POC) : allow passcodes (tick)

I will mark this as solved.