2-Factor (Duo) Directory

Introduction

Duo provides an authentication proxy for applications that use LDAP for authentication but cannot directly support 2-factor. As the name implies, the proxy runs as a server that accepts LDAP requests and proxies them to a different LDAP server, while also handling Duo 2-factor authentication.

VT Middleware runs the Duo authentication proxy at the following LDAP URIs:

Performing LDAP binds against ldaps://login.directory.vt.edu does the following:

Usage

Typically a user of an application that authenticates with LDAP will need to supply their username and password. With 2FA, we need to authenticate with one of our other factors. The question then becomes: how do we provide this other factor when LDAP simple binds provide no challenge/response phase?

By default the Duo authentication proxy uses an out-of-band factor, which are the ‘push’ and ‘phone’ factors. In this case, you don’t have to do anything. Simply login as usual.

The password you enter in this case will be:

password

Note that if you have both push and phone factors and don’t specify a factor, the push factor will always be used.

Optionally, you can also specify which factor you would like to use by sending the password, comma (‘,’), and a factor keyword, which is one of:

auto
push
phone
passcode (the actual passcode, e.g. 123456)

The auto factor

password,auto

Duo push (send a push to the Duo app)

password,push

Phone (call the user’s phone)

password,phone

Passcode

If you have a passcode from either the app or a hardware token, you can use it explicitly:

password,123456

Multiple types

If you have multiple types of a factor, you can specify it with a number:

password,phone2

SMS

SMS factor (auth will fail, but you will be sent passwords that can be used later):

password,sms

Example

A quick example of a bind with ldapsearch follows. Note that this proxies a bind against authn.directory.vt.edu, so you must use your PID password.

ldapsearch -H ldaps://login.directory.vt.edu -x -b dc=vt,dc=edu -D uid=1152120,ou=people,dc=vt,dc=edu -w password,push uupid=dhawes

Timeouts

Duo authentication times out at 60 seconds. Some LDAP clients set their timeout defaults much lower, which can cause problems authenticating against login.directory.vt.edu.

It is recommended to set your LDAP client to a 60s bind timeout.

Requirements

Caveats

Client notes

Allowed IP Addresses

IP (CIDR) Netmask Start IP End IP
198.82.0.0/16 255.255.0.0 198.82.0.0 198.82.255.255
128.173.0.0/16 255.255.0.0 128.173.0.0 128.173.255.255
38.68.224.0/20 255.255.240.0 38.68.224.0 38.68.239.255
38.68.240.0/24 255.255.255.0 38.68.240.0 38.68.240.255
38.68.241.0/24 255.255.255.0 38.68.241.0 38.68.241.255
38.68.251.0/24 255.255.255.0 38.68.251.0 38.68.251.255
38.68.252.0/24 255.255.255.0 38.68.252.0 38.68.252.255
38.68.254.0/24 255.255.255.0 38.68.254.0 38.68.254.255
172.16.0.0/12 255.240.0.0 172.16.0.0 172.31.255.255
45.3.96.0 /22 255.255.252.0 45.3.96.1 45.3.99.254
2001:468:c80::/48 FFFF:FFFF:FFFF:0000:0000:0000:0000:0000 2001:0468:0C80:0000:0000:0000:0000:0000 2001:0468:0C80:FFFF:FFFF:FFFF:FFFF:FFFF
2607:b400::/40 FFFF:FFFF:FF00:0000:0000:0000:0000:0000 2607:B400:0000:0000:0000:0000:0000:0000 2607:B400:00FF:FFFF:FFFF:FFFF:FFFF:FFFF
2607:b400:800::/48 FFFF:FFFF:FFFF:0000:0000:0000:0000:0000 2607:B400:0800:0000:0000:0000:0000:0000 2607:B400:0800:FFFF:FFFF:FFFF:FFFF:FFFF
2002:80ad::/32 FFFF:FFFF:0000:0000:0000:0000:0000:0000 2002:80AD:0000:0000:0000:0000:0000:0000 2002:80AD:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
2002:c652::/32 FFFF:FFFF:0000:0000:0000:0000:0000:0000 2002:C652:0000:0000:0000:0000:0000:0000 2002:C652:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF