Introduction

An identity migration can move LDAP authentication to a new directory while Duo Authentication Proxy still sends primary auth to the old one. Users still see MFA prompts, but password validation continues hitting the retired directory, one proxy node uses the new LDAP server while another still follows the previous bind target, or failures begin only after the old domain controller or LDAP service is removed because authproxy.cfg, section mappings, and deployment automation often drift separately.

Treat this as an upstream-authentication target problem instead of a generic Duo outage. Start by checking which LDAP server and client section an affected proxy request actually uses, because migrations often validate Duo cloud connectivity first while live primary-auth flows continue following older proxy configuration.

Symptoms

  • Duo Authentication Proxy still sends LDAP authentication to the old directory after migration
  • MFA appears normal, but password validation still depends on the retired LDAP service
  • One proxy node or application uses the new directory while another still uses the previous one
  • Authentication failures begin only after the old directory server, bind account, or certificate is removed
  • The new directory is healthy, but migrated primary-auth requests never use it consistently
  • The issue started after moving LDAP directories, Duo proxy nodes, or application authentication paths

Common Causes

  • authproxy.cfg still points the relevant LDAP client section to the old server or host list
  • An application or RADIUS section still maps to the previous upstream LDAP client definition
  • One proxy node was updated while another still uses the earlier directory target
  • Deployment automation, package rollout, or config management restored older proxy settings
  • Certificates, bind settings, or failover lists were updated partially, leaving the old directory path active
  • Validation confirmed the new directory worked in isolated tests but did not verify which upstream target live Duo proxy requests actually used

Step-by-Step Fix

  1. 1.Capture one affected authentication path and record the listening integration, mapped client section, LDAP server target, and proxy node it actually uses, because the live primary-auth path determines where credentials are really validated.
  2. 2.Compare that active proxy path with the intended post-migration identity design, because one stale client mapping can keep large authentication flows tied to the retired directory.
  3. 3.Review authproxy.cfg, LDAP client sections, application or RADIUS mappings, bind settings, failover hosts, and deployment templates for references to the old directory, because Duo Authentication Proxy behavior depends on both upstream client definitions and listener-to-client mappings.
  4. 4.Check each proxy node, application integration, and authentication path separately if behavior differs, because migrations often update one flow while another still uses the previous directory target.
  5. 5.Update the authoritative LDAP target and section mapping so affected requests authenticate against the intended directory, because standing up the new LDAP service alone does not retarget existing Duo proxy flows.
  6. 6.Run a controlled authentication test and confirm the intended directory handles primary auth for the expected integration, because a successful MFA prompt does not prove the right upstream directory validated the password.
  7. 7.Verify the old directory no longer receives LDAP bind or search traffic from migrated Duo proxy nodes, because split identity paths can remain hidden while both directories stay reachable.
  8. 8.Review certificates, bind permissions, failover order, and time sync if authentication still fails, because the destination can be correct while TLS trust or directory policy still blocks the new path.
  9. 9.Document which team owns proxy config, section mappings, and migration validation so future Duo cutovers verify the actual runtime LDAP target before retiring the previous directory.

Verification

After applying fixes:

  1. 1.Test authentication and verify bind on new directory
  2. 2.Check old directory logs for any continued auth traffic
  3. 3.Verify authproxy.cfg shows correct LDAP targets
  4. 4.Confirm all proxy nodes have updated configuration
  5. 5.Test failover if using multiple LDAP servers

Prevention

To prevent Duo Auth Proxy issues during future migrations:

  1. 1.Document all authproxy.cfg sections - Before migration, document all LDAP client sections and their mappings to listeners.
  2. 2.Update all proxy nodes - Ensure configuration changes are applied to all proxy nodes in your deployment.
  3. 3.Test authentication flows - After changes, test each distinct authentication integration to verify correct LDAP targeting.
  4. 4.Monitor directory traffic - During migration, monitor LDAP bind traffic on both old and new directories.
  5. 5.Use configuration management - Store authproxy.cfg in version control to track changes and enable rollback.
  6. 6.Validate failover configuration - If using failover hosts, update the entire failover list, not just the primary.
  7. 7.Document integration mappings - Maintain clear documentation of which applications use which LDAP client sections

Common Pitfalls

  • Updating LDAP client section without checking listener mappings
  • Forgetting to update failover hosts
  • Not restarting proxy service after config changes
  • Missing multiple proxy nodes in update
  • Testing only MFA without testing primary auth
  • Not verifying TLS certificate trust on new directory
  • [WordPress troubleshooting: Fix S3 Configuration Error - Complete Tr](fix-s3-configuration-error)
  • [WordPress troubleshooting: Fix RDS Configuration Error - Complete T](fix-rds-configuration-error)
  • [Technical troubleshooting: Fix Certificate Based Client Authentication Mtls C](certificate-based-client-authentication-mtls-cert-cn-mismatch)
  • [Fix Fix 8021x Clients Still Authenticating Against Old Policy Server After Migration Issue in Identity & Access](fix-8021x-clients-still-authenticating-against-old-policy-server-after-migration)
  • [Fix Active Directory Account Lockout Policy Too Aggressive](fix-active-directory-account-lockout-policy-too-aggressive)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "How to Fix Duo Authentication Proxy Still Sending LDAP Authentication to the Old Directory After Migration", "description": "Troubleshoot Duo Authentication Proxy migration issues by checking authproxy.cfg, LDAP client mappings, bind targets, and stale upstream settings.", "url": "https://www.fixwikihub.com/fix-duo-auth-proxy-still-sending-ldap-authentication-to-old-directory-after-migration", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2025-11-02T18:50:48.912Z", "dateModified": "2025-11-02T18:50:48.912Z" } </script>