Hi Team,
we get stuck at configuring Openldap for enabling Multifactor authentication for ldap users. As per duo support team, for doing the same we need to configure schema includes the memberOf overlay for groups and that the following requirements to satisfied:
Synced groups must have the groupOfNames object class.
Synced groups must list their members by DN (directoryName) via the member attribute.
Synced groups must have a cn attribute, used as the Duo group name after import.
Synced groups must also have the attributes entrydn (used as the distinguished name) and entryuuid (the group unique identifier).
Synced users must list group memberships by DN using the memberOf attribute.
Synced users must have the organizationalPerson object class.
We are trying to enable Multifactor authentication using duo auth proxy & duo admin panel configuration for ldap users.
Ldap server is getting synced successfully with Duo admin portal but groups and users details not getting fetched at duo admin portal. Duo support team mentioned to change ldap configuration as mention in below mentioned article. Can you pls share some reference document to make required changes.
https://duo.my.site.com/s/article/4529?language=en_US
Regards,
Ajay Kumar
Engineering Cloud Ops | Bharti Airtel Ltd.
Mob.: +91 8510020994
[photo_6075787602121832799_m]
*********************************************************************************************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited . The information contained in this mail is propriety and strictly confidential. *********************************************************************************************************************************************************************** “CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.”
--On Friday, August 16, 2024 5:19 AM +0000 Ajay Kumar Ajay41.Kumar@airtel.com wrote:
Hi Team,
we get stuck at configuring Openldap for enabling Multifactorauthentication for ldap users. As per duo support team, for doing the same we need to configure schema includes the memberOf overlay for groups and that the following requirements to satisfied:
It would be useful for you to provide what version of OpenLDAP you are running.
The OpenLDAP documentation, including for the memberOf overlay, can be found at https://www.openldap.org
Synced groups must have the groupOfNames object class.
This is something that whatever process you have that creates group does.
Synced groups must list their members by DN (directoryName) via the member attribute.
Same as above
Synced groups must have a cn attribute, used as the Duo group name after import.
Same as above.
Synced groups must also have the attributes entrydn (used as the distinguished name) and entryuuid (the group unique identifier).
These are operational attributes that the server automatically creates.
Synced users must list group memberships by DN using the memberOf attribute.
See the documentation for the memberOf overlay
Synced users must have the organizationalPerson object class.
This is something that whatever the process you have that creates users does. I would note that you could use higher level objects that inherit organizationalPerson just fine (i.e., inetOrgPerson which is what most people use).
Ldap server is getting synced successfully with Duo admin portalbut groups and users details not getting fetched at duo admin portal. Duo support team mentioned to change ldap configuration as mention in below mentioned article. Can you pls share some reference document to make required changes.
Again, the documentation for OpenLDAP can be found at https://www.openldap.org/
openldap-technical@openldap.org
-
Ajay Kumar -
Quanah Gibson-Mount