example_configs: Add MFA with DuoAuthProxy

README.md

@@ -595,6 +595,7 @@ folder for help with:
 - [Dex](example_configs/dex_config.yml)
 - [Dokuwiki](example_configs/dokuwiki.md)
 - [Dolibarr](example_configs/dolibarr.md)
+- [Duo Auth Proxy](example_configs/duo_auth_proxy.md)
 - [Ejabberd](example_configs/ejabberd.md)
 - [Emby](example_configs/emby.md)
 - [Ergo IRCd](example_configs/ergo.md)

example_configs/duo_auth_proxy.md

@@ -0,0 +1,105 @@
+# Duo Auth Proxy Configuration Guide
+
+## Configuring DuoAuthProxy
+
+To set up DuoAuthProxy with LLDAP, you need to configure the `authproxy.cfg` file properly.
+
+### Access your Duo admin console
+1. Log in to your Duo admin console.
+2. Navigate to **Applications** -> **Protect an Application**.
+3. Search for `proxy` and select **LDAP Proxy**.
+4. Copy the credentials (`ikey`, `skey`, `api_host`) for the next step.
+
+### Example Configuration
+
+```ini
+[main]
+log_stdout=true
+
+[ad_client]
+host=LLDAP
+port=3890
+auth_type=plain
+bind_dn=uid=svc-duoauthproxy,ou=people,dc=example,dc=com
+service_account_username=svc-duoauthproxy
+service_account_password=password
+search_dn=ou=people,dc=example,dc=com
+username_attribute=uid
+at_attribute=mail
+
+[ldap_server_auto]
+ikey=DIXXXXXXXXXXXXXXXXXX
+skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+api_host=api-XXXXXXXX.duosecurity.com
+failmode=secure
+client=ad_client
+port=1812
+exempt_primary_bind=false
+exempt_ou_1=uid=svc-duoauthproxy,ou=people,dc=example,dc=com
+```
+
+### Running DuoAuthProxy in Docker
+
+```sh
+docker run -d \
+       --name=DuoAuthProxy \
+       --network auth \
+       -v /path/to/authproxy.cfg:/app/conf/authproxy.cfg \
+       --restart unless-stopped \
+       minimages/duoauthproxy
+```
+
+You can also choose to host it natively or generate your own image using the official instructions.
+
+# Connecting a Service to Duo Auth Proxy
+This section demonstrates how to connect a service to Duo Auth Proxy, using Jellyfin as an example. You can follow the same approach for other services.
+## Preparing Jellyfin
+
+Ensure Jellyfin is set up and added to the `auth` network:
+
+```sh
+docker network connect auth jellyfin
+```
+
+### Installing LDAP Authentication Plugin
+
+Jellyfin requires the LDAP Authentication plugin. Restart Jellyfin after installing the plugin.
+
+### Configuring LDAP Authentication in Jellyfin
+
+#### **LDAP Server Settings**
+- **LDAP Server:** `DuoAuthProxy`
+- **LDAP Port:** `1812`
+- **Secure LDAP:** unchecked
+- **StartTLS:** unchecked
+- **Skip SSL/TLS Verification:** checked
+- **Allow Password Change:** *(optional, requires `lldap_password_manager` group)*
+- **LDAP Bind User:** `uid=svc-duoauthproxy,ou=people,dc=example,dc=com`
+- **LDAP Bind User Password:** `password`
+- **LDAP Base DN for searches:** `ou=people,dc=example,dc=com`
+
+Click **Save and Test LDAP Server Settings** to check connectivity.
+
+#### **LDAP User Settings**
+- **LDAP Search Filter:** `(uid=*)`
+- **LDAP Search Attributes:** `uid, mail`
+- **LDAP Uid Attribute:** `uid`
+- **LDAP Username Attribute:** `uid`
+- **LDAP Password Attribute:** `userPassword`
+- **LDAP Admin Base DN:** `ou=people,dc=example,dc=com`
+- **LDAP Admin Filter:** `(memberof=cn=lldap_admin,ou=example,dc=com)`
+
+Click **Save and Test LDAP Filter Settings** to verify user detection.
+
+#### **Final Setup**
+- Enter `admin` in **Test Login Name**
+- Click **Save Search Attribute Settings and Query User** to finalize lookup
+- Adjust **Jellyfin User Settings** as needed
+- Click the big blue **Save** button
+
+If existing users are present, switch their authentication provider to **LDAP-Authentication**.
+
+### Testing the New Authentication Flow
+
+Log out and attempt login to verify the new authentication flow. If issues arise, restart Jellyfin and try again.
+