Hi.
Thank you for taking the time to respond.
I have been playing with the options literrally all day and still haven't
got it to connect via auth-ldap
I think it may be the BINDDN part I am missing.. Also unsure if I need the
BINDDN and password set..
Presently my config (/etc/openvpn/auth/ldap.conf) looks like :- (ignore the
pass, its a test server not open to the internet..)
----------------
<LDAP>
# LDAP server URL
URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds)
#BindDN dc=morgan,dc=kvm
# Bind Password
Password "test_123"
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
#TLSCipherSuite
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA2$
</LDAP>
<Authorization>
# Base DN
#BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm"
BaseDN "dc=morgan,dc=kvm"
# User Search Filter
SearchFilter "(uid=%u)"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm"
SearchFilter "(cn=ipausers)"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
----------------
Using this method I can see in the openvpn client log
---------
Tue Sep 18 17:26:46 2018 WARNING: --ns-cert-type is DEPRECATED. Use
--remote-cert-tls instead.
Tue Sep 18 17:26:46 2018 Outgoing Control Channel Authentication: Using 512
bit message hash 'SHA512' for HMAC authentication
Tue Sep 18 17:26:46 2018 Incoming Control Channel Authentication: Using 512
bit message hash 'SHA512' for HMAC authentication
Tue Sep 18 17:26:46 2018 TCP/UDP: Preserving recently used remote address:
[AF_INET]192.168.122.15:1194
Tue Sep 18 17:26:46 2018 Socket Buffers: R=[212992->212992]
S=[212992->212992]
Tue Sep 18 17:26:46 2018 UDP link local: (not bound)
Tue Sep 18 17:26:46 2018 UDP link remote: [AF_INET]192.168.122.15:1194
Tue Sep 18 17:26:46 2018 TLS: Initial packet from [AF_INET]
192.168.122.15:1194, sid=3a69634f 7bb2d4c1
Tue Sep 18 17:26:46 2018 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
Tue Sep 18 17:26:46 2018 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm
Tue Sep 18 17:26:46 2018 VERIFY OK: nsCertType=SERVER
Tue Sep 18 17:26:46 2018 VERIFY KU OK
Tue Sep 18 17:26:46 2018 Validating certificate extended key usage
Tue Sep 18 17:26:46 2018 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication
Tue Sep 18 17:26:46 2018 VERIFY EKU OK
Tue Sep 18 17:26:46 2018 VERIFY OK: depth=0, CN=openvpntest.morgan.kvm
Tue Sep 18 17:26:46 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3
DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Sep 18 17:26:46 2018 [openvpntest.morgan.kvm] Peer Connection Initiated
with [AF_INET]192.168.122.15:1194
Tue Sep 18 17:26:47 2018 SENT CONTROL [openvpntest.morgan.kvm]:
'PUSH_REQUEST' (status=1)
Tue Sep 18 17:26:47 2018 AUTH: Received control message: AUTH_FAILED
Tue Sep 18 17:26:47 2018 SIGTERM[soft,auth-failure] received, process
exiting
---------
And in the server log : I note " TLS Auth Error: Auth Username/Password
verification failed for peer", which looks like a TLS issue ??
--------------------------
Tue Sep 18 17:46:17 2018 us=534356 MULTI: multi_create_instance called
Tue Sep 18 17:46:17 2018 us=534567 192.168.122.223:54272 Re-using SSL/TLS
context
Tue Sep 18 17:46:17 2018 us=534614 192.168.122.223:54272 LZO compression
initializing
Tue Sep 18 17:46:17 2018 us=534806 192.168.122.223:54272 Control Channel
MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Tue Sep 18 17:46:17 2018 us=534863 192.168.122.223:54272 Data Channel MTU
parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Sep 18 17:46:17 2018 us=534945 192.168.122.223:54272 Local Options
String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize
256,tls-auth,key-method 2,tls-server'
Tue Sep 18 17:46:17 2018 us=534973 192.168.122.223:54272 Expected Remote
Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize
256,tls-auth,key-method 2,tls-client'
Tue Sep 18 17:46:17 2018 us=535065 192.168.122.223:54272 TLS: Initial
packet from [AF_INET]192.168.122.223:54272, sid=09635563 e216bb99
Tue Sep 18 17:46:17 2018 us=558083 192.168.122.223:54272 VERIFY OK:
depth=1, CN=openvpntest.morgan.kvm
Tue Sep 18 17:46:17 2018 us=558234 192.168.122.223:54272 VERIFY KU OK
Tue Sep 18 17:46:17 2018 us=558255 192.168.122.223:54272 Validating
certificate extended key usage
Tue Sep 18 17:46:17 2018 us=558266 192.168.122.223:54272 ++ Certificate has
EKU (str) TLS Web Client Authentication, expects TLS Web Client
Authentication
Tue Sep 18 17:46:17 2018 us=558275 192.168.122.223:54272 VERIFY EKU OK
Tue Sep 18 17:46:17 2018 us=558282 192.168.122.223:54272 VERIFY OK:
depth=0, CN=ovpn-client1
Tue Sep 18 17:46:17 2018 us=561418 192.168.122.223:54272 peer info:
IV_VER=2.4.6
Tue Sep 18 17:46:17 2018 us=561465 192.168.122.223:54272 peer info:
IV_PLAT=linux
Tue Sep 18 17:46:17 2018 us=561477 192.168.122.223:54272 peer info:
IV_PROTO=2
Tue Sep 18 17:46:17 2018 us=561486 192.168.122.223:54272 peer info: IV_NCP=2
Tue Sep 18 17:46:17 2018 us=561494 192.168.122.223:54272 peer info: IV_LZ4=1
Tue Sep 18 17:46:17 2018 us=561502 192.168.122.223:54272 peer info:
IV_LZ4v2=1
Tue Sep 18 17:46:17 2018 us=561510 192.168.122.223:54272 peer info: IV_LZO=1
Tue Sep 18 17:46:17 2018 us=561519 192.168.122.223:54272 peer info:
IV_COMP_STUB=1
Tue Sep 18 17:46:17 2018 us=561538 192.168.122.223:54272 peer info:
IV_COMP_STUBv2=1
Tue Sep 18 17:46:17 2018 us=561547 192.168.122.223:54272 peer info:
IV_TCPNL=1
Tue Sep 18 17:46:17 2018 us=582461 192.168.122.223:54272 PLUGIN_CALL: POST
/usr/lib64/openvpn/plugin/lib/
openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Sep 18 17:46:17 2018 us=582524 192.168.122.223:54272 PLUGIN_CALL:
plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Tue Sep 18 17:46:17 2018 us=582571 192.168.122.223:54272 TLS Auth Error:
Auth Username/Password verification failed for peer
Tue Sep 18 17:46:17 2018 us=583059 192.168.122.223:54272 Control Channel:
TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Sep 18 17:46:17 2018 us=583119 192.168.122.223:54272 [ovpn-client1]
Peer Connection Initiated with [AF_INET]192.168.122.223:54272
Tue Sep 18 17:46:18 2018 us=806322 192.168.122.223:54272 PUSH: Received
control message: 'PUSH_REQUEST'
Tue Sep 18 17:46:18 2018 us=806438 192.168.122.223:54272 Delayed exit in 5
seconds
Tue Sep 18 17:46:18 2018 us=806484 192.168.122.223:54272 SENT CONTROL
[ovpn-client1]: 'AUTH_FAILED' (status=1)
Tue Sep 18 17:46:24 2018 us=152743 192.168.122.223:54272
SIGTERM[soft,delayed-exit] received, client-instance exiting
--------------------------
However If I change the ldap-auth config file to
- uncomment : BindDN dc=morgan,dc=kvm
- change : TLSEnable -> to NO
This is the openvpn server output - I see "LDAP bind failed: Inappropriate
authentication"
----------------
Tue Sep 18 17:49:06 2018 us=496975 MULTI: multi_create_instance called
Tue Sep 18 17:49:06 2018 us=497229 192.168.122.223:34170 Re-using SSL/TLS
context
Tue Sep 18 17:49:06 2018 us=497303 192.168.122.223:34170 LZO compression
initializing
Tue Sep 18 17:49:06 2018 us=497506 192.168.122.223:34170 Control Channel
MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Tue Sep 18 17:49:06 2018 us=497578 192.168.122.223:34170 Data Channel MTU
parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Sep 18 17:49:06 2018 us=497731 192.168.122.223:34170 Local Options
String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize
256,tls-auth,key-method 2,tls-server'
Tue Sep 18 17:49:06 2018 us=497782 192.168.122.223:34170 Expected Remote
Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto
UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize
256,tls-auth,key-method 2,tls-client'
Tue Sep 18 17:49:06 2018 us=497855 192.168.122.223:34170 TLS: Initial
packet from [AF_INET]192.168.122.223:34170, sid=a5214c27 7611da04
Tue Sep 18 17:49:06 2018 us=526256 192.168.122.223:34170 VERIFY OK:
depth=1, CN=openvpntest.morgan.kvm
Tue Sep 18 17:49:06 2018 us=526469 192.168.122.223:34170 VERIFY KU OK
Tue Sep 18 17:49:06 2018 us=526498 192.168.122.223:34170 Validating
certificate extended key usage
Tue Sep 18 17:49:06 2018 us=526514 192.168.122.223:34170 ++ Certificate has
EKU (str) TLS Web Client Authentication, expects TLS Web Client
Authentication
Tue Sep 18 17:49:06 2018 us=526526 192.168.122.223:34170 VERIFY EKU OK
Tue Sep 18 17:49:06 2018 us=526538 192.168.122.223:34170 VERIFY OK:
depth=0, CN=ovpn-client1
Tue Sep 18 17:49:06 2018 us=530464 192.168.122.223:34170 peer info:
IV_VER=2.4.6
Tue Sep 18 17:49:06 2018 us=530517 192.168.122.223:34170 peer info:
IV_PLAT=linux
Tue Sep 18 17:49:06 2018 us=530531 192.168.122.223:34170 peer info:
IV_PROTO=2
Tue Sep 18 17:49:06 2018 us=530542 192.168.122.223:34170 peer info: IV_NCP=2
Tue Sep 18 17:49:06 2018 us=530552 192.168.122.223:34170 peer info: IV_LZ4=1
Tue Sep 18 17:49:06 2018 us=530561 192.168.122.223:34170 peer info:
IV_LZ4v2=1
Tue Sep 18 17:49:06 2018 us=530571 192.168.122.223:34170 peer info: IV_LZO=1
Tue Sep 18 17:49:06 2018 us=530581 192.168.122.223:34170 peer info:
IV_COMP_STUB=1
Tue Sep 18 17:49:06 2018 us=530591 192.168.122.223:34170 peer info:
IV_COMP_STUBv2=1
Tue Sep 18 17:49:06 2018 us=530601 192.168.122.223:34170 peer info:
IV_TCPNL=1
LDAP bind failed: Inappropriate authentication
Unable to bind as dc=morgan,dc=kvm
LDAP connect failed.
Tue Sep 18 17:49:06 2018 us=533422 192.168.122.223:34170 PLUGIN_CALL: POST
/usr/lib64/openvpn/plugin/lib/
openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Sep 18 17:49:06 2018 us=533448 192.168.122.223:34170 PLUGIN_CALL:
plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Tue Sep 18 17:49:06 2018 us=533486 192.168.122.223:34170 TLS Auth Error:
Auth Username/Password verification failed for peer
Tue Sep 18 17:49:06 2018 us=533860 192.168.122.223:34170 Control Channel:
TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Sep 18 17:49:06 2018 us=533904 192.168.122.223:34170 [ovpn-client1]
Peer Connection Initiated with [AF_INET]192.168.122.223:34170
Tue Sep 18 17:49:07 2018 us=545087 192.168.122.223:34170 PUSH: Received
control message: 'PUSH_REQUEST'
Tue Sep 18 17:49:07 2018 us=545217 192.168.122.223:34170 Delayed exit in 5
seconds
Tue Sep 18 17:49:07 2018 us=545272 192.168.122.223:34170 SENT CONTROL
[ovpn-client1]: 'AUTH_FAILED' (status=1)
Tue Sep 18 17:49:12 2018 us=665108 192.168.122.223:34170
SIGTERM[soft,delayed-exit] received, client-instance exiting
---------------------------
Also on the IPA server (using the above method
-----------------
18/Sep/2018:17:49:05.953156501 +0100] conn=689 fd=112 slot=112 connection
from 192.168.122.15 to 192.168.122.20
[18/Sep/2018:17:49:05.953488573 +0100] conn=689 op=0 BIND
dn="dc=morgan,dc=kvm" method=128 version=3
[18/Sep/2018:17:49:05.953862643 +0100] conn=689 op=0 RESULT err=48 tag=97
nentries=0 etime=0.0000670081
[18/Sep/2018:17:49:05.954298020 +0100] conn=689 op=1 UNBIND
[18/Sep/2018:17:49:05.954317117 +0100] conn=689 op=1 fd=112 closed - U1
------------------
Can anyone help me here - i.e do I use TLSEnable?, do I set a BINDDN ? and
Do i need the password ? And is my BASEDN set correctly ?
Any help would be welcomed....
using auth-pam it works (but not with OTP)
On Mon, 17 Sep 2018 at 18:37, Rob Crittenden <[email protected]> wrote:
> Morgan Cox via FreeIPA-users wrote:
> > Hi.
> >
> > I have been trying to integrate openvpn with Freeipa, general
> > integration (i.e using IPA user password) works fine, my issue is
> > connecting it with 2FA (OTP), without writing an external script it is
> > not possible to use OTP + IPA + openvpn as there is no mechanism to ask
> > for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor
> > - reason are explained in this reddit post ->
> >
> >
> https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_token_not_working/
> >
> > I was advised however that openvpn-auth-ldap can be used as its setup so
> > you can input PASS+OTPTOKEN as the password field,
> >
> > What I do not understand what to enter in the
> > /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I
> > need using ldapsearch with similar syntax to
> >
> > # ldapsearch -ZZ -W -L ldap://ipa.example.org <http://ipa.example.org>
> > -b dc=example,dc=org -D
> uid=testuser,cn=users,cn=accounts,dc=example,dc=org
>
> TLSEnable is enabled by default on IPA systems in
> /etc/openldap/ldap.conf. The first -Z means enable startTLS which is
> already enabled. The second -Z means quit on failure which it does
> because startTLS is already enabled.
>
> > However I found using this syntax I just got the error
> >
> > " ldap_start_tls: Operations error (1), additional info: SSL connection
> > already established"
> >
> > I have found working commands to query LDAP such as
> >
> > # ldapsearch -LL -Y GSSAPI
>
> It is more or less equivalent, using GSSAPI and your current Kerberos
> credentials rather than TLS and simple bind.
>
> > However I am really not sure what info I need to get.
>
> I don't know what you need for this either.
>
> >
> > The config for auth-ldap is at the end of the message, the only parts I
> > think I know are
> > (btw the ipa server is called ipa1.morgan.kvm)
> >
> > ---
> > URL ldap://ipa1.morgan.kvm
> > TLSCACertFile /etc/ipa/ca.crt
> > ---
> >
> > (this may be wrong..) I am unsure about the BaseDN and TLS cert paths,
> etc
>
> The basedn for what, users? You can get the basedn for the server from
> /etc/ipa/default.conf
>
> The container for users is cn=users,cn=accounts,$BASEDN
>
> Not sure which cert paths you need either but the CA cert chain is in
> /etc/ipa/ca.crt as you seem to have configured.
>
> rob
>
> >
> > Can anyone help ?
> >
> > The config is below
> >
> > --------------
> > <LDAP>
> > # LDAP server URL
> > URL ldap://ipa1.morgan.kvm
> >
> > # Bind DN (If your LDAP server doesn't support anonymous binds)
> > # BindDN uid=Manager,ou=People,dc=example,dc=com
> >
> > # Bind Password
> > # Password SecretPassword
> >
> > # Network timeout (in seconds)
> > Timeout 15
> >
> > # Enable Start TLS
> > TLSEnable yes
> >
> > # Follow LDAP Referrals (anonymously)
> > FollowReferrals yes
> >
> > # TLS CA Certificate File
> > TLSCACertFile /etc/ipa/ca.crt
> >
> > # TLS CA Certificate Directory
> > TLSCACertDir /etc/ssl/certs
> >
> > # Client Certificate and key
> > # If TLS client authentication is required
> > TLSCertFile /usr/local/etc/ssl/client-cert.pem
> > TLSKeyFile /usr/local/etc/ssl/client-key.pem
> >
> > # Cipher Suite
> > # The defaults are usually fine here
> > # TLSCipherSuite ALL:!ADH:@STRENGTH
> > </LDAP>
> >
> > <Authorization>
> > # Base DN
> > BaseDN "ou=People,dc=example,dc=com"
> >
> > # User Search Filter
> > SearchFilter "(&(uid=%u)(accountStatus=active))"
> >
> > # Require Group Membership
> > RequireGroup false
> >
> > # Add non-group members to a PF table (disabled)
> > #PFTable ips_vpn_users
> >
> > <Group>
> > BaseDN "ou=Groups,dc=example,dc=com"
> > SearchFilter "(|(cn=developers)(cn=artists))"
> > MemberAttribute uniqueMember
> > # Add group members to a PF table (disabled)
> > #PFTable ips_vpn_eng
> > </Group>
> > </Authorization>
> >
> > --------------
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- [email protected]
> > To unsubscribe send an email to
> [email protected]
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> >
>
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
