Authentication Proxy v5. 0 and later will use LDAP Signing and Encryption (or “”Sign and Seal””) if the domain controller allows it.
Frequently Asked Questions about If the transport type is CLEAR and the auth_type is ntlm2 (the proxy default) or sspi
Read Morewe do recommend you select a choice other than “”clear””. (There should be little practical difference between “”ldaps”” and “”startls””
Frequently Asked Questions about If your Active Directory server is configured with an SSL certificate
Read Moreyour Active Directory server must be configured with an SSL certificate
Frequently Asked Questions about The proxy defaults to “”clear”” communication because not all Active Directory server configurations will support SSL/TLS out-of-the-box. To enable either “”ldaps”” or “”starttls””
Read Morethis will cause the proxy to contact your Active Directory server on port 636 rather than 389.
Frequently Asked Questions about Wrap the entire LDAP connection in SSL. Unless you specify a custom port
Read Morethe user must be a direct member of a group specified in the filter. If ldap_filter and security_group_dn are both set
Frequently Asked Questions about If matching a user’s group membership with memberOf
Read Morethe security_group_dn may be the DN of an AD user’s primarygroup. Prior versions do not support primary groups.
Frequently Asked Questions about Starting with Authentication Proxy v3. 2. 0
Read Morespecify the LDAP distinguished name (DN) of a security group that contains the users who should be able to log in as direct group members. Nested groups are not supported. Users who are not direct members of the specified group will not pass primary authentication. Example:
Frequently Asked Questions about To further restrict access
Read Moresee Encrypting Passwords and use service_account_password_protected instead.
Frequently Asked Questions about If you’re on Windows and would like to encrypt this password
Read Morewhich means you can have any mixture of [ad_client]
Frequently Asked Questions about Multiple client types may coexist in the same configuration file
Read Moreappend a number to the section name e. [ad_client2] or [radius_client2].
Frequently Asked Questions about Multiple server section configurations can use the same client section configuration. To configure more than one client configuration of the same type (in order to specify a different primary authentication source for some of your applications)
Read Moreyou will need to include one or more of the following configuration sections. These sections provide the proxy the information it needs to act as a client
Frequently Asked Questions about When deploying the Duo Authentication Proxy in order to service user authentications
Read Morethen it cannot also act as an HTTP proxy for Duo applications itself.
Frequently Asked Questions about Note that if the Authentication Proxy is configured to use an upstream HTTP proxy
Read Morewill be used for communicating with Duo Security’s service. Must support the CONNECT protocol.
Frequently Asked Questions about Hostname or IP address of an HTTP proxy. If set
Read Morethe SIEM-consumable event entries do not redirect to syslog.
Frequently Asked Questions about Log to syslog when set to “”true””. Only available for Unix systems. 2 or later. If log_auth_events is enabled
Read Morethe SIEM-consumable event entries do not redirect to stdout.
Frequently Asked Questions about Log to stdout when set to “”true””. If log_auth_events is enabled
Read More