2-Factor (Duo) Directory

Introduction

Duo provides an authentication proxy for applications that use LDAP for authentication but cannot directly support 2-factor. As the name implies, the proxy runs as a server that accepts LDAP requests and proxies them to a different LDAP server, while also handling Duo 2-factor authentication.

VT Middleware runs the Duo authentication proxy at the following LDAP URIs:

• ldaps://dev.login.directory.vt.edu
• ldap://dev.login.directory.vt.edu
• ldaps://pprd.login.directory.vt.edu
• ldap://pprd.login.directory.vt.edu
• ldaps://login.directory.vt.edu
• ldap://login.directory.vt.edu

Performing LDAP binds against ldaps://login.directory.vt.edu does the following:

• Attempts a bind to ED-Auth.
• If successful, attempts Duo 2FA.
• If both of the above are successful, LDAP success!

Usage

Typically a user of an application that authenticates with LDAP will need to supply their username and password. With 2FA, we need to authenticate with one of our other factors. The question then becomes: how do we provide this other factor when LDAP simple binds provide no challenge/response phase?

By default the Duo authentication proxy uses an out-of-band factor, which are the ‘push’ and ‘phone’ factors. In this case, you don’t have to do anything. Simply login as usual.

The password you enter in this case will be:

password

Note that if you have both push and phone factors and don’t specify a factor, the push factor will always be used.

Optionally, you can also specify which factor you would like to use by sending the password, comma (‘,’), and a factor keyword, which is one of:

auto
push
phone
passcode (the actual passcode, e.g. 123456)

The auto factor

password,auto

Duo push (send a push to the Duo app)

password,push

Phone (call the user’s phone)

password,phone

Passcode

If you have a passcode from either the app or a hardware token, you can use it explicitly:

password,123456

Multiple types

If you have multiple types of a factor, you can specify it with a number:

password,phone2

SMS

SMS factor (auth will fail, but you will be sent passwords that can be used later):

password,sms

Example

A quick example of a bind with ldapsearch follows. Note that this proxies a bind against authn.directory.vt.edu, so you must use your PID password.

ldapsearch -H ldaps://login.directory.vt.edu -x -b dc=vt,dc=edu -D uid=1152120,ou=people,dc=vt,dc=edu -w password,push uupid=dhawes

Timeouts

Duo authentication times out at 60 seconds. Some LDAP clients set their timeout defaults much lower, which can cause problems authenticating against login.directory.vt.edu.

It is recommended to set your LDAP client to a 60s bind timeout.

Requirements

• Must use LDAP over SSL (ldaps://) or LDAP with StartTLS.
• Virginia Tech users must be eligible for 2FA. Guests and services can bind normally.

Caveats

• U2F is not supported.
• Virginia Tech users without a Duo Account will receive an Invalid Credentials response from the directory (err=49), with a response message of: “Access denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.”

Client notes

• OSX - Binds twice on login. If using Duo push, you will get two notifications. If using other factors, you may have difficulty.
• PADL pam_ldap - A hardcoded default of 10 seconds requires whatever factor you use to be used in under that time limit.
  • https://github.com/PADL/pam_ldap/pull/2

Allowed IP Addresses