ContextQMD
Back to Lldap

Duo Auth Proxy Configuration Guide

example_configs/duo_auth_proxy.md

0.6.33.2 KB
Original Source

Duo Auth Proxy Configuration Guide

Configuring DuoAuthProxy

To set up DuoAuthProxy with LLDAP, you need to configure the authproxy.cfg file properly.

Access your Duo admin console

  1. Log in to your Duo admin console.
  2. Navigate to Applications -> Protect an Application.
  3. Search for proxy and select LDAP Proxy.
  4. Copy the credentials (ikey, skey, api_host) for the next step.

Example Configuration

ini
[main]
log_stdout=true

[ad_client]
host=LLDAP
port=3890
auth_type=plain
bind_dn=uid=svc-duoauthproxy,ou=people,dc=example,dc=com
service_account_username=svc-duoauthproxy
service_account_password=password
search_dn=ou=people,dc=example,dc=com
username_attribute=uid
at_attribute=mail

[ldap_server_auto]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
failmode=secure
client=ad_client
port=1812
exempt_primary_bind=false
exempt_ou_1=uid=svc-duoauthproxy,ou=people,dc=example,dc=com

Running DuoAuthProxy in Docker

sh
docker run -d \
       --name=DuoAuthProxy \
       --network auth \
       -v /path/to/authproxy.cfg:/app/conf/authproxy.cfg \
       --restart unless-stopped \
       minimages/duoauthproxy

You can also choose to host it natively or generate your own image using the official instructions.

Connecting a Service to Duo Auth Proxy

This section demonstrates how to connect a service to Duo Auth Proxy, using Jellyfin as an example. You can follow the same approach for other services.

Preparing Jellyfin

Ensure Jellyfin is set up and added to the auth network:

sh
docker network connect auth jellyfin

Installing LDAP Authentication Plugin

Jellyfin requires the LDAP Authentication plugin. Restart Jellyfin after installing the plugin.

Configuring LDAP Authentication in Jellyfin

LDAP Server Settings

  • LDAP Server: DuoAuthProxy
  • LDAP Port: 1812
  • Secure LDAP: unchecked
  • StartTLS: unchecked
  • Skip SSL/TLS Verification: checked
  • Allow Password Change: (optional, requires lldap_password_manager group)
  • LDAP Bind User: uid=svc-duoauthproxy,ou=people,dc=example,dc=com
  • LDAP Bind User Password: password
  • LDAP Base DN for searches: ou=people,dc=example,dc=com

Click Save and Test LDAP Server Settings to check connectivity.

LDAP User Settings

  • LDAP Search Filter: (uid=*)
  • LDAP Search Attributes: uid, mail
  • LDAP Uid Attribute: uid
  • LDAP Username Attribute: uid
  • LDAP Password Attribute: userPassword
  • LDAP Admin Base DN: ou=people,dc=example,dc=com
  • LDAP Admin Filter: (memberof=cn=lldap_admin,ou=example,dc=com)

Click Save and Test LDAP Filter Settings to verify user detection.

Final Setup

  • Enter admin in Test Login Name
  • Click Save Search Attribute Settings and Query User to finalize lookup
  • Adjust Jellyfin User Settings as needed
  • Click the big blue Save button

If existing users are present, switch their authentication provider to LDAP-Authentication.

Testing the New Authentication Flow

Log out and attempt login to verify the new authentication flow. If issues arise, restart Jellyfin and try again.