Makdaam / openvpn-auth-ldap

Automatically exported from code.google.com/p/openvpn-auth-ldap
Other
0 stars 0 forks source link

auth-ldap - problem connecting to server #4

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. at my windows client, right click on client.ovpn
2. start openvpn on this config file
3. insert user and pass

What is the expected output? What do you see instead?
I see: No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Instead of: Connected.

What version of the product are you using? On what operating system?
openvpn 2.0.9 and auth-ldap-2.0.3 in FreeBSD 6.2

Please provide any additional information below.
When i try to connect with my openvpn windows client i get this on my log
of openvpn server:

Fri Aug 22 05:33:46 2008 us=707255 MULTI: multi_create_instance called
Fri Aug 22 05:33:46 2008 us=707378 172.16.0.12:4901 Re-using SSL/TLS context
Fri Aug 22 05:33:46 2008 us=707629 172.16.0.12:4901 Control Channel MTU
parms [ L:1577 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707678 172.16.0.12:4901 Data Channel MTU parms
[ L:1577 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707771 172.16.0.12:4901 Fragmentation MTU parms
[ L:1577 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707863 172.16.0.12:4901 Local Options String:
'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto UDPv4,mtu-dynamic,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Aug 22 05:33:46 2008 us=707957 172.16.0.12:4901 Expected Remote Options
String: 'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto
UDPv4,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Aug 22 05:33:46 2008 us=708019 172.16.0.12:4901 Local Options hash
(VER=V4): '002d8bc3'
Fri Aug 22 05:33:46 2008 us=708116 172.16.0.12:4901 Expected Remote Options
hash (VER=V4): 'cb29316b'
Fri Aug 22 05:33:46 2008 us=708214 172.16.0.12:4901 TLS: Initial packet
from 172.16.0.12:4901, sid=84f43e9e dccd5cf2
Fri Aug 22 05:33:46 2008 us=788470 172.16.0.12:4901 VERIFY OK: depth=1,
/C=PT/ST=LX/L=LISBOA/O=P_P/OU=IF/CN=syndrome.onsite.pt/emailAddress=pedro@pessoa
seprocessos.com
Fri Aug 22 05:33:46 2008 us=788834 172.16.0.12:4901 VERIFY OK: depth=0,
/C=PT/ST=LX/O=P_P/OU=IF/CN=syndrome.onsite.pt/emailAddress=pedro@pessoaseprocess
os.com
Fri Aug 22 05:33:46 2008 us=804979 172.16.0.12:4901 PLUGIN_CALL: POST
/usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Aug 22 05:33:46 2008 us=805218 172.16.0.12:4901 TLS: Username/Password
authentication succeeded for username 'pedro'
Fri Aug 22 05:33:46 2008 us=805773 172.16.0.12:4901 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 22 05:33:46 2008 us=805850 172.16.0.12:4901 Data Channel Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 22 05:33:46 2008 us=806047 172.16.0.12:4901 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 22 05:33:46 2008 us=806102 172.16.0.12:4901 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 22 05:33:46 2008 us=810544 172.16.0.12:4901 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Aug 22 05:33:46 2008 us=810621 172.16.0.12:4901 [syndrome.onsite.pt]
Peer Connection Initiated with 172.16.0.12:4901
No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Fri Aug 22 05:33:46 2008 us=813079 syndrome.onsite.pt/172.16.0.12:4901
PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT
status=1
Fri Aug 22 05:33:46 2008 us=813213 syndrome.onsite.pt/172.16.0.12:4901
PLUGIN_CALL: plugin function PLUGIN_CLIENT_CONNECT failed with status 1:
/usr/local/lib/openvpn-auth-ldap.so
Fri Aug 22 05:33:46 2008 us=813377 syndrome.onsite.pt/172.16.0.12:4901
WARNING: client-connect plugin call failed
Fri Aug 22 05:33:47 2008 us=694000 syndrome.onsite.pt/172.16.0.12:4901
PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug 22 05:33:47 2008 us=694127 syndrome.onsite.pt/172.16.0.12:4901 SENT
CONTROL [syndrome.onsite.pt]: 'AUTH_FAILED' (status=1)
Fri Aug 22 05:33:47 2008 us=694255 syndrome.onsite.pt/172.16.0.12:4901
Delayed exit in 5 seconds

Original issue reported on code.google.com by pedroam...@gmail.com on 22 Aug 2008 at 1:48

GoogleCodeExporter commented 9 years ago
Please anyone

Original comment by pedroam...@gmail.com on 29 Aug 2008 at 10:14

GoogleCodeExporter commented 9 years ago
The plugin currently does not work with OpenVPN using tap(4) bridging. This
functionality should be added.

Original comment by landon.j.fuller@gmail.com on 30 Nov 2008 at 9:12

GoogleCodeExporter commented 9 years ago
I had the same problem, using OpenVPN in brigde mode, with custom client-connect
script and auth-ldap. In this situation, OpenVPN environmental viriable
ifconfig_pool_remote_ip (remoteAddress in auth-ldap) isn't set for
OPENVPN_PLUGIN_CLIENT_{CONNECT,DISCONNECT}, and auth-ldap fails.
Because I use OpenVPN on GNU/Linux, I don't use PFTable, and I wrote attached 
patch
to circumvent this problem.

Original comment by comel...@gmail.com on 29 Apr 2009 at 11:25

Attachments:

GoogleCodeExporter commented 9 years ago
thanks for this patch, I use the same configuration (tap bridging and linux)...

Original comment by dro...@gmail.com on 20 Jul 2010 at 6:15

GoogleCodeExporter commented 9 years ago
That patch seems to not apply anymore, or maybe it's factored in, but anyways 
the code looks different.

I nevertheless still have this problem. After a while, this plugin just dies 
like this.

I have therefore made the following patch to work around this issue. It seems 
to work here.

I have also filed this in the Debian bugtrackers, in 
http://bugs.debian.org/692936

Original comment by theanar...@gmail.com on 11 Nov 2012 at 3:27

Attachments:

GoogleCodeExporter commented 9 years ago
hello,
I am using openvpn 2.3.2-2 on centos 6 (openvpn-auth-ldap 2.0.3-6 from the epel 
repo)
I have similar log files... 

Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 VERIFY OK: depth=0, C=xxx, O=xxx, 
CN=client1
LDAP search failed: No such object
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=0
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 TLS: Username/Password 
authentication succeeded for username 'username' 
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 Data Channel Encrypt: Cipher 
'BF-CBC' initialized with 128 bit key
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 Data Channel Encrypt: Using 160 
bit message hash 'SHA1' for HMAC authentication
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 Data Channel Decrypt: Cipher 
'BF-CBC' initialized with 128 bit key
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 Data Channel Decrypt: Using 160 
bit message hash 'SHA1' for HMAC authentication
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 Control Channel: TLSv1, cipher 
TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jan 21 10:11:49 2014 xxx.xxx.xxx.xxx:1194 [client1] Peer Connection 
Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
No remote address supplied to OpenVPN LDAP Plugin 
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Tue Jan 21 10:11:49 2014 client1/xxx.xxx.xxx.xxx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=1
Tue Jan 21 10:11:49 2014 client1/xxx.xxx.xxx.xxx:1194 PLUGIN_CALL: plugin 
function PLUGIN_CLIENT_CONNECT failed with status 1: 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Tue Jan 21 10:11:49 2014 client1/xxx.xxx.xxx.xxx:1194 WARNING: client-connect 
plugin call failed

While I am almost sure the plugin's config is ok (ldapsearch with same params 
is ok), ldap responds "LDAP search failed: No such object" and then "No remote 
address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."
I this a similar error situation ?

thank you

Original comment by alextasi...@gmail.com on 22 Jan 2014 at 2:53

GoogleCodeExporter commented 9 years ago
I applied the patch provided in comment #5 (thanks theanar!!!) and the 
authentication on the ldap succeeded (the "OPENVPN_PLUGIN_CLIENT_CONNECT" 
disappeared).
The "LDAP search failed: No such object" exists but causing no problems (maybe 
the sun ldap I am using causes this).

Shouldn't this patch be factored in the code? (2.0.3 version comes from 2008 
and since then there are many fixes) This would be very convenient...
thank you

Original comment by alextasi...@gmail.com on 30 Jan 2014 at 8:33