ldproxy configuration
15 views
Skip to first unread message
Dan Zaparov
Dec 29, 2025, 7:48:00 AM (2 days ago) Dec 29
to RCDevs Security
Hello,
I'm trying to configure ldproxy but it doesn't seem to work correctly. Initial bind and everything goes smoothly, however when I try to use ldapsearch command
ldapsearch -v -LLL -H ldap://<WebADM IP>:10389 -D "<bind CN>" -W -b "DC=domain,DC=local" 'sAMAccountName=test-group',
I get the following error in terminal with no additional info:
ldap_bind: Invalid credentials (49)
If I try to configure ldproxy on the WebADM server and use ldapsearch I get the same error but with additional info:
additional info: 80090308: LdapErr: DSID-0c09052B, comment: AcceptSecurityContext error, data 52e, v4f7c
Logs in WebADM however seem to show that request from ldproxy comes in and gets success response (truncated for size):
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] New openotpSimpleLogin SOAP request
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] > Username: cn=<bind cn>,ou=<bind ou>,dc=domain,dc=local
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] > Password: xxxxxxxxxxxxxxx
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] > Settings: ChallengeMode=No
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Registered openotpSimpleLogin request
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Verified LDAP user: cn=<bind cn>,ou=<bind ou>,dc=domain,dc=local (cached)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Resolved LDAP groups: Administrators (cached)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Started transaction lock for user
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Found 53 user settings: LoginMode=LDAPOTP...
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Found 1 registered OTP token (TOTP)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Requested login factors: LDAP & OTP
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] LDAP password Ok
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] TOTP password Ok (token #1)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Updated user data
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Sent login success response
Anything to help resolve this issue is appreciated.
I'm trying to configure ldproxy but it doesn't seem to work correctly. Initial bind and everything goes smoothly, however when I try to use ldapsearch command
ldapsearch -v -LLL -H ldap://<WebADM IP>:10389 -D "<bind CN>" -W -b "DC=domain,DC=local" 'sAMAccountName=test-group',
I get the following error in terminal with no additional info:
ldap_bind: Invalid credentials (49)
If I try to configure ldproxy on the WebADM server and use ldapsearch I get the same error but with additional info:
additional info: 80090308: LdapErr: DSID-0c09052B, comment: AcceptSecurityContext error, data 52e, v4f7c
Logs in WebADM however seem to show that request from ldproxy comes in and gets success response (truncated for size):
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] New openotpSimpleLogin SOAP request
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] > Username: cn=<bind cn>,ou=<bind ou>,dc=domain,dc=local
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] > Password: xxxxxxxxxxxxxxx
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] > Settings: ChallengeMode=No
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Registered openotpSimpleLogin request
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Verified LDAP user: cn=<bind cn>,ou=<bind ou>,dc=domain,dc=local (cached)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Resolved LDAP groups: Administrators (cached)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Started transaction lock for user
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Found 53 user settings: LoginMode=LDAPOTP...
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Found 1 registered OTP token (TOTP)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Requested login factors: LDAP & OTP
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] LDAP password Ok
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] TOTP password Ok (token #1)
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Updated user data
[2025-12-29 17:33:21] [::1:58848] [OpenOTP:R80P1HPW] Sent login success response
Anything to help resolve this issue is appreciated.
Spyridon Gouliarmis (RCDevs)
Dec 29, 2025, 8:42:19 AM (2 days ago) Dec 29
to RCDevs Security
Hello,
there's multiple Bind's going on during a single Bind to ldproxy. Does /opt/ldproxy/logs/ldproxy.log give you more information on what's happening?
Dan Zaparov
Dec 29, 2025, 9:12:47 AM (2 days ago) Dec 29
to RCDevs Security
Log file showed that there was an error in bind user DN:
[2025-12-29 18:46:25] conn=1000 op=0 openotp_bind: using bind user 'cn=<bind cn>,out=<bind ou>,dc=domain,dc=local'
trying to overwrite the setup however didn't work as it was still bound to that misspelled DN. Editing config file seemed to work though.
ldapsearch is working now. Another question: is it possible to enable challenge-response for OTP via ldproxy (and not pass+otp concatenation)?
[2025-12-29 18:46:25] conn=1000 op=0 openotp_bind: using bind user 'cn=<bind cn>,out=<bind ou>,dc=domain,dc=local'
trying to overwrite the setup however didn't work as it was still bound to that misspelled DN. Editing config file seemed to work though.
ldapsearch is working now. Another question: is it possible to enable challenge-response for OTP via ldproxy (and not pass+otp concatenation)?
понедельник, 29 декабря 2025 г. в 18:42:19 UTC+5, Spyridon Gouliarmis (RCDevs):
Spyridon Gouliarmis (RCDevs)
Dec 29, 2025, 9:19:08 AM (2 days ago) Dec 29
to RCDevs Security
If you find a way to make it work within LDAP simple bind's (since that's the only way the average front-end supports), we're all ears.
I think I remember Duo allowing the password, then advertising a failure, then if the OTP is sent next it succeeds. It's dirty and none of our clients got desperate enough to ask for this.
Use RADIUS, or develop a plugin for your frontend yourself, that calls our API.
Reply all
Reply to author
Forward
0 new messages