10-01-2024 06:10 AM
In our setupm we would like to integrage Palo Alto Globalprotect with dou MFA using local LDAP server for authentication. We would like to use plain text passwords for testing purposes, but it seems, duo executes SASL(GSSAPI) authetication method, even though this is disabled.
Config file(hostnames and other personal data are correct in original file):
[ad_client]
host=x.x.x.x
service_account_username=admin
service_account_password=xxx
search_dn=cn=Users,dc=xxx,dc=xxx
port=389
use_gssapi=false
security=plain
timeout=60
[ldap_server_auto]
client=ad_client
ikey=xxx
skey=xxx
api_host=api-xxx
use_gssapi=false
The config above is working without duo, I mean if I create an LDAP profile in Palo firewall pointing directly to LDAP server, the authentication is successfull.
If I create an LDAP profile pointing to duo proxy server, I get the following error:
2024-10-01T15:07:02.194352+0200 [duoauthproxy.lib.log#info] Failed to look up username for 2FA: "other: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (Key table file '/etc/krb5.keytab' not found)"
How to avoid this? Why SASL is in scope if I disabled?
Thanky you for the help in advance!
Solved! Go to Solution.
10-01-2024 07:22 AM
I think you meant to use "auth_type=plain" in the ad_client section, not "security=plain"? Also "use_gssapi" isn't a valid option for authproxy.cfg.
Read about the auth_type option and its additional requirements here: https://duo.com/docs/authproxy-reference#ad_client
10-01-2024 07:22 AM
I think you meant to use "auth_type=plain" in the ad_client section, not "security=plain"? Also "use_gssapi" isn't a valid option for authproxy.cfg.
Read about the auth_type option and its additional requirements here: https://duo.com/docs/authproxy-reference#ad_client
10-03-2024 01:03 AM
Thank you for the correction, I was working with an incorrect sample file...Even though this issue solved, I have a new one. User credentials are asked with wrong DN somehow, so the LDAP server refuses the request. My curren Duo config file is the following:
[main]
debug=true
[ad_client]
host=x.x.x.x
service_account_username=x
service_account_password=x
search_dn=dc=xxx,dc=xx
port=389
auth_type=plain
timeout=60
[ldap_server_auto]
client=ad_client
ikey=x
skey=x
api_host=api-x
Log from Dou Proxy:
2024-10-03T09:47:23.868123+0200 [Uninitialized] C->S LDAPMessage(id=8, value=LDAPBindRequest(version=3, dn='<ROOT>', auth='****', sasl=False), controls=None)
2024-10-03T09:47:23.868819+0200 [_ADServiceClientProtocol,client] C<-S LDAPMessage(id=8, value=LDAPBindResponse(resultCode=34, errorMessage=b'invalid DN'), controls=None)
2024-10-03T09:47:23.869426+0200 [duoauthproxy.lib.log#info] Failed to look up username for 2FA: 'invalidDNSyntax: invalid DN'
Logs from openLDAP:
2024-10-03T09:47:23.842694+02:00 auth-server slapd[1284]: conn=1054 fd=15 ACCEPT from IP=10.10.40.91:59072 (IP=0.0.0.0:389)
2024-10-03T09:47:23.843158+02:00 auth-server slapd[1284]: conn=1054 op=0 do_bind: invalid dn (<ROOT>)
2024-10-03T09:47:23.843217+02:00 auth-server slapd[1284]: conn=1054 op=0 RESULT tag=97 err=34 qtime=0.000011 etime=0.000049 text=invalid DN
Palo Alto config:
Palo Alto Globalprotect user can authenticate via this LDAP server without Duo, by integrating Duo to setup I ran into this issue. I cant find that part of the config, which can cause this. Can you give me a hint?
10-03-2024 01:16 AM
Found the root-cause in documentation. Thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide