[PATCH] RFC2307 group support

[GoogleCodeExporter]

What steps will reproduce the problem?

testplugin /etc/openvpn/rusers.auth
Username: shin.andrey
Password: 
Authorization Failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-connect failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-disconnect failed!

What is the expected output? What do you see instead?

I see that the authorization was successful, but getting that fail

What version of the product are you using? On what operating system?

OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 20 2008
auth-ldap-2.0.3
DISTRIB_DESCRIPTION="Ubuntu 8.04"
Linux dir 2.6.24-16-server

Please provide any additional information below.

<LDAP> 
        URL             ldap://dir   
        BindDN          cn=admin,dc=XXX,dc=local      
        Password        pass
        Timeout         15
</LDAP>
<Authorization>    
        BaseDN          "dc=XXX,dc=local"     
        SearchFilter     "(&(objectClass=posixAccount)(cn=%u))"   
        RequireGroup    true      
        <Group>
                BaseDN              "ou=groups,dc=XXX,dc=local"
                SearchFilter        "(cn=Jabber)"
                MemberAttribute     memberUid       
        </Group>
</Authorization>

ldapsearch -x -b "ou=groups,dc=XXX,dc=local" -D "cn=admin,dc=XXX,dc=local"
-W "(&(cn=Jabber)(memberUid=shin.andrey))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=XXX,dc=local> with scope subtree
# filter: (&(cn=Jabber)(memberUid=shin.andrey))
# requesting: ALL
#

# Jabber, groups, XXX.local
dn: cn=Jabber,ou=groups,dc=XXX,dc=local
objectClass: posixGroup
objectClass: top
cn: Jabber
gidNumber: 1006
memberUid: shin.andrey

Original issue reported on code.google.com by louk...@gmail.com on 6 Dec 2008 at 9:34

[GoogleCodeExporter]

Add:
LDAP's log
Dec  7 02:44:05 dir slapd[10536]: daemon: read active on 15
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=8 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=9 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=10 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: connection_get(15)
Dec  7 02:44:05 dir slapd[10536]: connection_get(15): got connid=11
Dec  7 02:44:05 dir slapd[10536]: connection_read(15): checking for input on 
id=11
Dec  7 02:44:05 dir slapd[10536]: conn=11 op=3 do_compare
Dec  7 02:44:05 dir slapd[10536]: >>> dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>
Dec  7 02:44:05 dir slapd[10536]: <<< dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>, <cn=jabber,ou=groups,dc=XXX,dc=local>
Dec  7 02:44:05 dir slapd[10536]: conn=11 op=3 CMP
dn="cn=Jabber,ou=groups,dc=XXX,dc=local" attr="memberUid"
Dec  7 02:44:05 dir slapd[10536]: do_compare: dn
(cn=Jabber,ou=groups,dc=XXX,dc=local) attr (memberUid) value
(cn=shin.andrey,ou=users,dc=XXX,dc=local)

I think the value should be "shin.andrey" and no
"cn=shin.andrey,ou=users,dc=XXX,dc=local"

Original comment by louk...@gmail.com on 6 Dec 2008 at 9:49

[GoogleCodeExporter]

Howdy. The plugin expects groups to be the LDAP group format used in rfc2307bis,
ActiveDirectory, OpenDirectory, etc, where the group membership is specified by
including the full DN to the user's record.

The plugin could/should be extended to support rfc2307 posix groups.

Original comment by landon.j.fuller@gmail.com on 11 Dec 2008 at 10:40

[GoogleCodeExporter]

How can we expand the plug?

Original comment by louk...@gmail.com on 12 Dec 2008 at 7:25

[GoogleCodeExporter]

Here's a patch that adds rfc2307 support. Applies to 2.0.3.

-Paul

Original comment by plr...@gmail.com on 12 Dec 2009 at 9:16

Attachments:

• auth-ldap-rfc2307.patch

[GoogleCodeExporter]

You can enable the above patch by adding "RFC2307bis true/false" to the groups
section of your config.

Original comment by plr...@gmail.com on 12 Dec 2009 at 9:18

[GoogleCodeExporter]

Thanks for the patch! I will review it shortly.

Original comment by landon.j.fuller@gmail.com on 13 Dec 2009 at 8:00

• Changed title: [PATCH] RFC2307 group support
• Changed state: Accepted
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

Issue 9 has been merged into this issue.

Original comment by landon.j.fuller@gmail.com on 13 Dec 2009 at 8:01

[GoogleCodeExporter]

This is my solution w/o plugin

add in openvpn.conf:
auth-user-pass-verify /etc/openvpn/auth-ldap.pl via-env

cat /etc/openvpn/auth-ldap.pl
#!/usr/bin/perl -w
use Net::LDAP;
use strict;

my $ldap;
my $result;

my $opt_uri = "dir.XXX.local";
my $opt_user = $ENV{'username'};
my $opt_passwd = $ENV{'password'};
my $opt_common = $ENV{'common_name'};
my $opt_group = "cn=VPN,ou=groups,dc=XXX,dc=local";
my $opt_binddn = "cn=".$opt_user.",ou=users,dc=XXX,dc=local";

$ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!");

$result = $ldap->bind($opt_binddn, password=>$opt_passwd);
$result->code and die($result->error);
$result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$opt_user))");
$result->code();
if ($result->count == 1) { exit 0; }
unless($result->count){ exit 1; }

Original comment by louk...@gmail.com on 14 Dec 2009 at 5:18

[GoogleCodeExporter]

Issue 15 has been merged into this issue.

Original comment by landon.j.fuller@gmail.com on 29 Dec 2009 at 4:11

[GoogleCodeExporter]

I tested the patch in a dev scenario, and it appears to be working well so far.
Thanks plrca2.
:)

I was having to use openldap-pam and nss_ldap to get group comparisons working. 
This
is much better, as I don't really want to 'pollute' the system login with ldap 
data
(it is just a vpn endpoint, and shouldn't have shell users logging in).

Original comment by elij...@gmail.com on 31 Dec 2009 at 11:13

[GoogleCodeExporter]

how do i aply the patch

Original comment by amaral8...@googlemail.com on 28 Mar 2010 at 1:57

[GoogleCodeExporter]

i have installed openvpn-auth-ldap-2.0.3-3.el5.i386 from el repo on centos

the plugin works fine if I set RequireGroup to false.

If if set RequireGroup to true then it stops working

so the problem is in the authorization part of groups

please see a copy of my config

<Authorization>
        # Base DN
        BaseDN          "dc=example,dc=com"

        # User Search Filter
        SearchFilter    "uid=%u"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "cn=test"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

i'm using openldap for this.

could you please confirm that this is duable?

if so could anyone help? please 

Original comment by amaral8...@googlemail.com on 28 Mar 2010 at 2:11

[GoogleCodeExporter]

Hi!

Has the patch been accepted?
Will there be a new release with this patch applied?

Regards.

Original comment by t...@ist.utl.pt on 25 Oct 2010 at 6:35

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I have built a RPM for RHEL/CentOS 5 x86_64 with the rfc2307 patch(see comment 
#4) applied. 

Also, a source rpm is provided. you are build it for other platform.

Many thanks to Paul for this patch.

Original comment by prin...@gmail.com on 8 Jul 2011 at 3:33

Attachments:

• openvpn-auth-ldap-2.0.3-4.curu.src.rpm
• openvpn-auth-ldap-2.0.3-4.curu.x86_64.rpm

[GoogleCodeExporter]

Why this patch is still pending? Many other project has similiar switch.

Take a look at AuthLdapGroupAttributeIsDN in mod_authnz_ldap for apache:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattribute
isdn

Original comment by nicola....@gmail.com on 10 Jul 2011 at 6:36

[GoogleCodeExporter]

we are affected by this too and have to go back to using pam_ldap instead. we 
will be watching this space ;-)

Original comment by thilo.ba...@gmail.com on 15 Nov 2011 at 8:31

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

This is old but it needs some resurrection as it has driven me to the brink of 
insanity.  After installing the patched version via the RPM that Paul built 
(thanks) there are still issues with the MemberAttribute type.  Here is my 
bob.local OpenVPN Group config:

<Authorization>
        # Base DN
        BaseDN          "ou=People,dc=bob,dc=local"

        # User Search Filter
        SearchFilter    "(&(uid=%u))"
        #(accountStatus=active))"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                # Match full user DN if true, uid only if false
                RFC2307bis      true

                BaseDN          "ou=Groups,dc=bob,dc=local"
                SearchFilter    "(|(cn=vpn))"
                MemberAttribute  uniqueMember #What ACTUAL attribute goes here??!?!?
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

With that the connection binds find, finds the user in the vpn group and 
returns only 1 entry, but bails out on the MemberAttribute.  In the LDAP logs 
it shows err=16: "slapd[2783]: conn=3504 op=3 RESULT tag=111"  The OpenLdap 
admin manual says that this is a "noSuchAttribute (16) -- Indicates that the 
named entry does not contain the specified attribute or attribute value."  I 
tried looking up attributes for the group but when I tried something like 
gid=1013, it still errored out.  This is Centos 5.8 OpenVPN 2.2.2-1.  Can 
anyone help/clarify this?

Original comment by Bro...@gmail.com on 24 Jun 2012 at 1:20

[GoogleCodeExporter]

Hi, I just instal my vpn server abd ofund this issue I have:

openvpn-auth-ldap-2.0.3-6.el6.x86_64
openvpn-2.3.2-2.el6.x86_64
On Centos 6.5 

I did downloaded the patch and recompiled the rpm, I set the flag  RFC2307bis  
TRUE, but I still get authentication issues whenevr I have the requiregroup set 
to true.

Any inputs on this as it seems this issue is quite old, originally reported on 
2008. 5 yrs ago.

Thank you.

Original comment by rafi...@gmail.com on 10 Dec 2013 at 8:14

[GoogleCodeExporter]

I had the same issue, the patch still works with Debian's 
openvpn-auth-ldap-2.0.3.
I use Gosa and I had to apply the patch to have group authorization.
I created a Debian patch and rebuilt the package.

# apt-get build-dep openvpn-auth-ldap
# apt-get source openvpn-auth-ldap
$ cd openvpn-auth-ldap-...
$ quilt import -P RFC2307.patch ../auth-ldap-rfc2307.patch
$ quit push
$ dpkg-buildpackage -us -uc
$ cd ..
# dpkg -i ...

Then modify the config as described in comments above.

Original comment by netantho on 26 Feb 2014 at 11:03

[GoogleCodeExporter]

Hey netantho,

Is your ldap group authentication working?
When you say "Then modify the config as described in comments above", which 
comments do you mean?
Could you show us your successful configuration for the <Group> section?
Thanks!

Original comment by john.ski...@gmail.com on 9 May 2014 at 8:11

[GoogleCodeExporter]

thanks for the patch... it works great!

Original comment by moritz.z...@gmail.com on 12 May 2014 at 9:12

[GoogleCodeExporter]

Anyone get this working with open ldap?
I can authenticate perfectly if I set the "RequireGroup" to false.
I'm thinking it is the syntax difference in using Open Directory (Mac OS X 
10.6.8 Server).

Original comment by john.ski...@gmail.com on 22 May 2014 at 9:55

[GoogleCodeExporter]

Are binary packages for this patch planned?

Thank you and regards, Giulio

Original comment by gmar...@gmail.com on 26 Jun 2014 at 4:25

[GoogleCodeExporter]

I attach binary packages for Ubuntu 10.04 LTS lucid and Ubuntu 12.04 LTS 
precise, they could be useful for someone else!

They were prepared following the steps from comment #21.

Original comment by gmar...@gmail.com on 27 Jun 2014 at 8:30

Attachments:

• [openvpn-auth-ldap_2.0.3-1.1_amd64 (precise).deb](https://storage.googleapis.com/google-code-attachments/openvpn-auth-ldap/issue-7/comment-26/openvpn-auth-ldap_2.0.3-1.1_amd64 %28precise%29.deb)
• [openvpn-auth-ldap_2.0.3-1_amd64 (lucid).deb](https://storage.googleapis.com/google-code-attachments/openvpn-auth-ldap/issue-7/comment-26/openvpn-auth-ldap_2.0.3-1_amd64 %28lucid%29.deb)

[GoogleCodeExporter]

I have a question,if domain account binding the hostname on the domain 
controller,so cann't login OpenVPN  
please help me

Original comment by y409653...@gmail.com on 14 Nov 2014 at 8:03