Hi, On Fri, Jul 09, 2021 at 06:17:14PM +0100, Duarte Rocha wrote: > I'm loading the openvpn-auth-ldap.so for user validation and then > loading the duo plugin for 2FA. It works, except it has an unwanted > behaviour if a user is not on the allowed groups in LDAP the > openvpn-auth-ldap.so will fail but will still trigger the push > notification. Shouldn't the 2nd plugin not be called if the previous > ends with error? > > PLUGIN_CALL: POST > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY > status=1 > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY > status=2
Which openvpn version is that?
Can you show a server log with --verb 3 of such an incoming connection?
For 2.5, we reworked the logic for "there are multiple client-connect
things, some succeed and one fails", but I'm not sure we ever looked
at "there are multiple plugins loaded for USER_PASS_VERIFY and one
of them fails" case.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
