Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

FEATURE REQUEST - LDAP Timeout Configuration for MFA

Hello,

I have recently integrated Duo MFA into my organization. We use LDAP authentication for our Serv-U users. (and we now use LDAPS - thanks to the developers for granting that feature request). Serv-U sends LDAP requests to the Duo Authentication Proxy (DAP) and the user is required to approve the connection using their mobile device.

Here is the workflow.

1. The user navigates to servu.mysite.com and enters their Windows username and password. Once they click the "Login" button, they see a spinning logo, signifying the system is thinking or waiting.

2. The Duo Authentication Proxy (DAP) accepts the LDAP and/or LDAPS request from Serv-U.

3. DAP verifies the Windows credentials via our domain controller then sends a push notification to the user's mobile device. The user is prompted to approve or deny the connection.

4. If the user hits approve, they are instantly logged in to the Serv-U server.

It works great, however if the user takes too long to hit approve, Serv-U will reject the connection. I assume this is due to a default non-configurable timeout setting. I haven't done official testing but it feels to be around 15 seconds.

From the Duo MFA documentation, and other MFA companies, they instruct to set the LDAP timeout setting to be 30-60 seconds. I do not see this setting in Serv-U.

Here are a few MFA companies instructions for setting LDAP timeout.

Duo:

LDAP | Duo Security

"If your clients allow you to configure the LDAP timeout, set them to values such that the clients will not give up for at least 60 seconds. This is necessary if your users choose to use Duo's out-of-band factors (phone callback, push) to log in, as the authentication proxy will not be able to respond to a LDAP authentication request until the user responds to the authentication challenge. If your clients do not allow you to configure the LDAP timeout behavior, then your users may be unable to authenticate with Duo's out-of-band factors."

Microsoft:

LDAP Authentication and Azure MFA Server - Azure Active Directory | Microsoft Docs

"Configure the LDAP timeout to 30-60 seconds so that there is time to validate the user’s credentials with the LDAP directory, perform the second-step verification, receive their response, and respond to the LDAP access request."

Thank you for your consideration. If the community would like assistance in configuring MFA for their Serv-U installation, please send me a message.

Regards,

Jack Thwack

Find more posts tagged with

Status: None

Comments

SkyD

@li-migration We are facing the same issue with integrating LDAP with Duo MFA. Will the timeout be increased in the next release? Is there a timeline for this change to be released?

Legusol

Has the configuration for this been added? We are testing Serv-U to replace our current system and we too integrate Duo MFA for our logins and users have about 2 seconds to hit the accept on push.