Hi,

In my test lap I would like to authenticate a checkpoint vpn user via duo mfa, but it seems duo auth proxy send the request to ldap server with the user attribute of sAMAccountName, even though uid is configured as user attribute. Here is my config file:

[ad_client]
host=10.10.x.x
service_account_username=xxx
service_account_password=xxx
search_dn=dc=xxx,dc=xxx
bind_dn=cn=xxx,dc=xxx,dc=xxx
username_attribute=uid
port=389
auth_type=plain
timeout=60

[ldap_server_auto]
client=ad_client
ikey=xxx
skey=xx
api_host=api-xxx
exempt_ou_1=CN=xxx,dc=xxx,dc=xxx
exempt_primary_bind=false

LDAP server logs:

2024-10-17T17:49:28.570276+0200 [ldap_server_auto,0,10.10.40.104] S<-C LDAPMessage(id=2, value=LDAPSearchRequest(baseObject=b'dc=valkyr,dc=hu',
scope=2, derefAliases=0, sizeLimit=0, timeLimit=0, typesOnly=0, filter=LDAPFilter_and(value=[LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'objectclass'),
assertionValue=BEROctetString(value=b'user')), LDAPFilter_equalityMatch(attributeDesc=BEROctetString(value=b'sAMAccountName'), assertionValue=BEROctetString(value=b'john'))]),
attributes=[b'cn', b'sAMAccountName', b'sn', b'mail', b'proxyAddresses', b'userPrincipalName', b'objectSid', b'sIDHistory', b'fullName', b'displayName', b'description',
b'objectclass', b'fw1hour-range-from', b'fw1hour-range-to', b'accountExpires', b'fw1day', b'fw1allowed-dst', b'fw1allowed-src', b'fw1auth-method', b'userAccountControl',
b'fw1userPwdPolicy', b'memberoftemplate', b'mobile', b'fw1BadPwdCount', b'fw1lastLoginFailure', b'pwdLastSet', b'memberOf', b'fw1auth-server', b'fw1auth-server',
b'fw1groupTemplate', b'fw1sr-auth-track', b'fw1enc-methods', b'fw1ISAKMP-EncMethod', b'fw1ISAKMP-AuthMethods', b'fw1ISAKMP-HashMethods', b'fw1ISAKMP-Transform',
b'fw1ISAKMP-DataIntegrityMethod', b'fw1ISAKMP-SharedSecret', b'fw1ISAKMP-DataEncMethod', b'', b'givenName', b'surname']), controls=None)

What could be the reason of searching for sAMAccountName instead of uid?

Thanks,

Mihaly