Open GoogleCodeExporter opened 9 years ago
Add:
LDAP's log
Dec 7 02:44:05 dir slapd[10536]: daemon: read active on 15
Dec 7 02:44:05 dir slapd[10536]: daemon: epoll: listen=8 active_threads=0
tvp=zero
Dec 7 02:44:05 dir slapd[10536]: daemon: epoll: listen=9 active_threads=0
tvp=zero
Dec 7 02:44:05 dir slapd[10536]: daemon: epoll: listen=10 active_threads=0
tvp=zero
Dec 7 02:44:05 dir slapd[10536]: connection_get(15)
Dec 7 02:44:05 dir slapd[10536]: connection_get(15): got connid=11
Dec 7 02:44:05 dir slapd[10536]: connection_read(15): checking for input on
id=11
Dec 7 02:44:05 dir slapd[10536]: conn=11 op=3 do_compare
Dec 7 02:44:05 dir slapd[10536]: >>> dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>
Dec 7 02:44:05 dir slapd[10536]: <<< dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>, <cn=jabber,ou=groups,dc=XXX,dc=local>
Dec 7 02:44:05 dir slapd[10536]: conn=11 op=3 CMP
dn="cn=Jabber,ou=groups,dc=XXX,dc=local" attr="memberUid"
Dec 7 02:44:05 dir slapd[10536]: do_compare: dn
(cn=Jabber,ou=groups,dc=XXX,dc=local) attr (memberUid) value
(cn=shin.andrey,ou=users,dc=XXX,dc=local)
I think the value should be "shin.andrey" and no
"cn=shin.andrey,ou=users,dc=XXX,dc=local"
Original comment by louk...@gmail.com
on 6 Dec 2008 at 9:49
Howdy. The plugin expects groups to be the LDAP group format used in rfc2307bis,
ActiveDirectory, OpenDirectory, etc, where the group membership is specified by
including the full DN to the user's record.
The plugin could/should be extended to support rfc2307 posix groups.
Original comment by landon.j.fuller@gmail.com
on 11 Dec 2008 at 10:40
How can we expand the plug?
Original comment by louk...@gmail.com
on 12 Dec 2008 at 7:25
Here's a patch that adds rfc2307 support. Applies to 2.0.3.
-Paul
Original comment by plr...@gmail.com
on 12 Dec 2009 at 9:16
Attachments:
You can enable the above patch by adding "RFC2307bis true/false" to the groups
section of your config.
Original comment by plr...@gmail.com
on 12 Dec 2009 at 9:18
Thanks for the patch! I will review it shortly.
Original comment by landon.j.fuller@gmail.com
on 13 Dec 2009 at 8:00
Issue 9 has been merged into this issue.
Original comment by landon.j.fuller@gmail.com
on 13 Dec 2009 at 8:01
This is my solution w/o plugin
add in openvpn.conf:
auth-user-pass-verify /etc/openvpn/auth-ldap.pl via-env
cat /etc/openvpn/auth-ldap.pl
#!/usr/bin/perl -w
use Net::LDAP;
use strict;
my $ldap;
my $result;
my $opt_uri = "dir.XXX.local";
my $opt_user = $ENV{'username'};
my $opt_passwd = $ENV{'password'};
my $opt_common = $ENV{'common_name'};
my $opt_group = "cn=VPN,ou=groups,dc=XXX,dc=local";
my $opt_binddn = "cn=".$opt_user.",ou=users,dc=XXX,dc=local";
$ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!");
$result = $ldap->bind($opt_binddn, password=>$opt_passwd);
$result->code and die($result->error);
$result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$opt_user))");
$result->code();
if ($result->count == 1) { exit 0; }
unless($result->count){ exit 1; }
Original comment by louk...@gmail.com
on 14 Dec 2009 at 5:18
Issue 15 has been merged into this issue.
Original comment by landon.j.fuller@gmail.com
on 29 Dec 2009 at 4:11
I tested the patch in a dev scenario, and it appears to be working well so far.
Thanks plrca2.
:)
I was having to use openldap-pam and nss_ldap to get group comparisons working.
This
is much better, as I don't really want to 'pollute' the system login with ldap
data
(it is just a vpn endpoint, and shouldn't have shell users logging in).
Original comment by elij...@gmail.com
on 31 Dec 2009 at 11:13
how do i aply the patch
Original comment by amaral8...@googlemail.com
on 28 Mar 2010 at 1:57
i have installed openvpn-auth-ldap-2.0.3-3.el5.i386 from el repo on centos
the plugin works fine if I set RequireGroup to false.
If if set RequireGroup to true then it stops working
so the problem is in the authorization part of groups
please see a copy of my config
<Authorization>
# Base DN
BaseDN "dc=example,dc=com"
# User Search Filter
SearchFilter "uid=%u"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "cn=test"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
i'm using openldap for this.
could you please confirm that this is duable?
if so could anyone help? please
Original comment by amaral8...@googlemail.com
on 28 Mar 2010 at 2:11
Hi!
Has the patch been accepted?
Will there be a new release with this patch applied?
Regards.
Original comment by 8424...@gmail.com
on 25 Oct 2010 at 6:35
[deleted comment]
I have built a RPM for RHEL/CentOS 5 x86_64 with the rfc2307 patch(see comment
#4) applied.
Also, a source rpm is provided. you are build it for other platform.
Many thanks to Paul for this patch.
Original comment by prin...@gmail.com
on 8 Jul 2011 at 3:33
Attachments:
Why this patch is still pending? Many other project has similiar switch.
Take a look at AuthLdapGroupAttributeIsDN in mod_authnz_ldap for apache:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattribute
isdn
Original comment by nicola....@gmail.com
on 10 Jul 2011 at 6:36
we are affected by this too and have to go back to using pam_ldap instead. we
will be watching this space ;-)
Original comment by thilo.ba...@gmail.com
on 15 Nov 2011 at 8:31
[deleted comment]
This is old but it needs some resurrection as it has driven me to the brink of
insanity. After installing the patched version via the RPM that Paul built
(thanks) there are still issues with the MemberAttribute type. Here is my
bob.local OpenVPN Group config:
<Authorization>
# Base DN
BaseDN "ou=People,dc=bob,dc=local"
# User Search Filter
SearchFilter "(&(uid=%u))"
#(accountStatus=active))"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
# Match full user DN if true, uid only if false
RFC2307bis true
BaseDN "ou=Groups,dc=bob,dc=local"
SearchFilter "(|(cn=vpn))"
MemberAttribute uniqueMember #What ACTUAL attribute goes here??!?!?
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
With that the connection binds find, finds the user in the vpn group and
returns only 1 entry, but bails out on the MemberAttribute. In the LDAP logs
it shows err=16: "slapd[2783]: conn=3504 op=3 RESULT tag=111" The OpenLdap
admin manual says that this is a "noSuchAttribute (16) -- Indicates that the
named entry does not contain the specified attribute or attribute value." I
tried looking up attributes for the group but when I tried something like
gid=1013, it still errored out. This is Centos 5.8 OpenVPN 2.2.2-1. Can
anyone help/clarify this?
Original comment by Bro...@gmail.com
on 24 Jun 2012 at 1:20
Hi, I just instal my vpn server abd ofund this issue I have:
openvpn-auth-ldap-2.0.3-6.el6.x86_64
openvpn-2.3.2-2.el6.x86_64
On Centos 6.5
I did downloaded the patch and recompiled the rpm, I set the flag RFC2307bis
TRUE, but I still get authentication issues whenevr I have the requiregroup set
to true.
Any inputs on this as it seems this issue is quite old, originally reported on
2008. 5 yrs ago.
Thank you.
Original comment by rafi...@gmail.com
on 10 Dec 2013 at 8:14
I had the same issue, the patch still works with Debian's
openvpn-auth-ldap-2.0.3.
I use Gosa and I had to apply the patch to have group authorization.
I created a Debian patch and rebuilt the package.
# apt-get build-dep openvpn-auth-ldap
# apt-get source openvpn-auth-ldap
$ cd openvpn-auth-ldap-...
$ quilt import -P RFC2307.patch ../auth-ldap-rfc2307.patch
$ quit push
$ dpkg-buildpackage -us -uc
$ cd ..
# dpkg -i ...
Then modify the config as described in comments above.
Original comment by netantho
on 26 Feb 2014 at 11:03
Hey netantho,
Is your ldap group authentication working?
When you say "Then modify the config as described in comments above", which
comments do you mean?
Could you show us your successful configuration for the <Group> section?
Thanks!
Original comment by john.ski...@gmail.com
on 9 May 2014 at 8:11
thanks for the patch... it works great!
Original comment by moritz.z...@gmail.com
on 12 May 2014 at 9:12
Anyone get this working with open ldap?
I can authenticate perfectly if I set the "RequireGroup" to false.
I'm thinking it is the syntax difference in using Open Directory (Mac OS X
10.6.8 Server).
Original comment by john.ski...@gmail.com
on 22 May 2014 at 9:55
Are binary packages for this patch planned?
Thank you and regards, Giulio
Original comment by gmar...@gmail.com
on 26 Jun 2014 at 4:25
I attach binary packages for Ubuntu 10.04 LTS lucid and Ubuntu 12.04 LTS
precise, they could be useful for someone else!
They were prepared following the steps from comment #21.
Original comment by gmar...@gmail.com
on 27 Jun 2014 at 8:30
Attachments:
I have a question,if domain account binding the hostname on the domain
controller,so cann't login OpenVPN
please help me
Original comment by y409653...@gmail.com
on 14 Nov 2014 at 8:03
Original issue reported on code.google.com by
louk...@gmail.com
on 6 Dec 2008 at 9:34