Cool; I was lazy for this particular test and gave some pretty wide-ranging permissions.

This is a hack, but I added “entryUUID” as an alternate name for ipaUniqueID in the base schema definition for my FreeIPA instance: dc1:/etc/dirsrv/slapd-CONTOSO-COM/schema/60basev2.ldif dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME (...

I’m evaluating Duo against FreeIPA, and running into this same problem, for what it’s worth. It seems like with the right permissions, the Duo auth proxy client returns entryDN, but as artemis already point out, there’s no “entryUUID” attribute (“ipa...