Duo provides an authentication proxy for applications that use LDAP for authentication but cannot directly support 2-factor. As the name implies, the proxy runs as a server that accepts LDAP requests and proxies them to a different LDAP server, while also handling Duo 2-factor authentication.
VT Middleware runs the Duo authentication proxy at the following LDAP URIs:
Performing LDAP binds against ldaps://login.directory.vt.edu does the following:
- Attempts a bind to ED-Auth.
- If successful, attempts Duo 2FA.
- If both of the above are successful, LDAP success!
Typically a user of an application that authenticates with LDAP will need to supply their username and password. With 2FA, we need to authenticate with one of our other factors. The question then becomes: how do we provide this other factor when LDAP simple binds provide no challenge/response phase?
By default the Duo authentication proxy uses an out-of-band factor, which are the ‘push’ and ‘phone’ factors. In this case, you don’t have to do anything. Simply login as usual.
The password you enter in this case will be:
Note that if you have both push and phone factors and don’t specify a factor, the push factor will always be used.
Optionally, you can also specify which factor you would like to use by sending the password, comma (‘,’), and a factor keyword, which is one of:
auto push phone passcode (the actual passcode, e.g. 123456)
The auto factor
Duo push (send a push to the Duo app)
Phone (call the user’s phone)
If you have a passcode from either the app or a hardware token, you can use it explicitly:
If you have multiple types of a factor, you can specify it with a number:
SMS factor (auth will fail, but you will be sent passwords that can be used later):
A quick example of a bind with ldapsearch follows. Note that this proxies a bind against authn.directory.vt.edu, so you must use your PID password.
ldapsearch -H ldaps://login.directory.vt.edu -x -b dc=vt,dc=edu -D uid=1152120,ou=people,dc=vt,dc=edu -w password,push uupid=dhawes
Duo authentication times out at 60 seconds. Some LDAP clients set their timeout defaults much lower, which can cause problems authenticating against login.directory.vt.edu.
It is recommended to set your LDAP client to a 60s bind timeout.
- Must use LDAP over SSL (ldaps://) or LDAP with StartTLS.
- User must be eligible for 2FA.
- U2F is not supported.
- User without a Duo Account will receive an Invalid Credentials response from the directory (err=49), with a response message of: “Access denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.”
- OSX - Binds twice on login. If using Duo push, you will get two notifications. If using other factors, you may have difficulty.
- PADL pam_ldap - A hardcoded default of 10 seconds requires whatever factor you use to be used in under that time limit.