2-Factor (Duo) Directory


Duo provides an authentication proxy for applications that use LDAP for authentication but cannot directly support 2-factor. As the name implies, the proxy runs as a server that accepts LDAP requests and proxies them to a different LDAP server, while also handling Duo 2-factor authentication.

VT Middleware runs the Duo authentication proxy at the following LDAP URIs:

Performing LDAP binds against ldaps://login.directory.vt.edu does the following:


Typically a user of an application that authenticates with LDAP will need to supply their username and password. With 2FA, we need to authenticate with one of our other factors. The question then becomes: how do we provide this other factor when LDAP simple binds provide no challenge/response phase?

By default the Duo authentication proxy uses an out-of-band factor, which are the ‘push’ and ‘phone’ factors. In this case, you don’t have to do anything. Simply login as usual.

The password you enter in this case will be:


Note that if you have both push and phone factors and don’t specify a factor, the push factor will always be used.

Optionally, you can also specify which factor you would like to use by sending the password, comma (‘,’), and a factor keyword, which is one of:

passcode (the actual passcode, e.g. 123456)

The auto factor


Duo push (send a push to the Duo app)


Phone (call the user’s phone)



If you have a passcode from either the app or a hardware token, you can use it explicitly:


Multiple types

If you have multiple types of a factor, you can specify it with a number:



SMS factor (auth will fail, but you will be sent passwords that can be used later):



A quick example of a bind with ldapsearch follows. Note that this proxies a bind against authn.directory.vt.edu, so you must use your PID password.

ldapsearch -H ldaps://login.directory.vt.edu -x -b dc=vt,dc=edu -D uid=1152120,ou=people,dc=vt,dc=edu -w password,push uupid=dhawes


Duo authentication times out at 60 seconds. Some LDAP clients set their timeout defaults much lower, which can cause problems authenticating against login.directory.vt.edu.

It is recommended to set your LDAP client to a 60s bind timeout.



Client notes

Allowed IP Addresses

IP (CIDR) Netmask Start IP End IP /22
2001:468:c80::/48 FFFF:FFFF:FFFF:0000:0000:0000:0000:0000 2001:0468:0C80:0000:0000:0000:0000:0000 2001:0468:0C80:FFFF:FFFF:FFFF:FFFF:FFFF
2607:b400::/40 FFFF:FFFF:FF00:0000:0000:0000:0000:0000 2607:B400:0000:0000:0000:0000:0000:0000 2607:B400:00FF:FFFF:FFFF:FFFF:FFFF:FFFF
2607:b400:800::/48 FFFF:FFFF:FFFF:0000:0000:0000:0000:0000 2607:B400:0800:0000:0000:0000:0000:0000 2607:B400:0800:FFFF:FFFF:FFFF:FFFF:FFFF
2002:80ad::/32 FFFF:FFFF:0000:0000:0000:0000:0000:0000 2002:80AD:0000:0000:0000:0000:0000:0000 2002:80AD:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
2002:c652::/32 FFFF:FFFF:0000:0000:0000:0000:0000:0000 2002:C652:0000:0000:0000:0000:0000:0000 2002:C652:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF