search

threerings / openvpn-auth-ldap

Implements username/password authentication via LDAP for OpenVPN 2.x.
Other
135 stars 63 forks source link

LDAP search failed: No such object #35

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
the plugin's configuration is:

<LDAP>
        URL             ldap://xxxxx
        BindDN           uid=xxxxx,dc=xxx,dc=xxx
        Password         xxxxxxx
        Timeout         15
        TLSEnable       no
        FollowReferrals no
        TLSCACertFile   /usr/local/etc/ssl/ca.pem
        TLSCACertDir    /etc/ssl/certs
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
        BaseDN          "ou=xxx,dc=xxx,dc=xxx"
        SearchFilter    "(&(uid=%u)(accountStatus=active))"
        RequireGroup    false
        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

I am sure that all values are correct, because using an equivalent ldapsearch 
command, ldap server responds with the correct entry.

What is the expected output? What do you see instead?
the expected should be a login success message. But the following log comes 
("LDAP search failed: No such object" and then "No remote address supplied to 
OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."):

Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 TLS: Initial packet from 
[AF_INET]xx.xx.xx.xx:1194, sid=466b3052 a5fc388e
LDAP search failed: No such object
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=0
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 TLS: Username/Password authentication 
succeeded for username 'username' 
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Encrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Decrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Control Channel: TLSv1, cipher 
TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 [] Peer Connection Initiated with 
[AF_INET]xx.xx.xx.xx:1194
No remote address supplied to OpenVPN LDAP Plugin 
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=1
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function 
PLUGIN_CLIENT_CONNECT failed with status 1: 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 WARNING: client-connect plugin call 
failed

What version of the product are you using? On what operating system?
Using openvpn-auth-ldap 2.0.3-6 with openvpn.i686 2.3.2-2, installed on 
CentOS-6 from the epel repository.

Please provide any additional information below.
when providing wrong user password or no-existing user (in this example - 
"asdf"), plugin outputs correctly ... which shows that there is no bind or 
wrong attribute problem and ldap responds correctly !!!

Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 TLS: Initial packet from 
[AF_INET]xx.xx.xx.xx:1194, sid=17665875 67640a48
LDAP bind failed: Invalid credentials
Incorrect password supplied for LDAP DN "uid=username,ou=xxx,dc=xxx,dc=xxx".
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=1
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function 
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 TLS Auth Error: Auth 
Username/Password verification failed for peer
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 Control Channel: TLSv1, cipher 
TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 Peer Connection Initiated with 
[AF_INET]xx.xx.xx.xx:1194
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 PUSH: Received control message: 
'PUSH_REQUEST'
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 Delayed exit in 5 seconds
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' 
(status=1)
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 SIGTERM[soft,delayed-exit] received, 
client-instance exiting
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 TLS: Initial packet from 
[AF_INET]xx.xx.xx.xx:1194, sid=06097dc3 01f59e32
LDAP user "asdf" was not found.
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=1
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function 
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: 
usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 TLS Auth Error: Auth 
Username/Password verification failed for peer

please correct any mistakes in the config file or suggest any solution
thank you

Original issue reported on code.google.com by alextasi...@gmail.com on 23 Jan 2014 at 5:50

GoogleCodeExporter commented 9 years ago 
hi again...
(using openvpn-auth-ldap 2.0.3-6 with openvpn.i686 2.3.2-2, installed on 
CentOS-6 from the epel repository)

having the doubt of plugin's compatibility with sun-ldap (cause README says 
"This plugin only works with the OpenLDAP libraries"), I made the same tests 
configuring openvpn-auth-ldap to query an openldap made just for those tests.
The strange "LDAP search failed: No such object" disappeared, but the "No 
remote address supplied to OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)" 
error insisted, even if an ldapsearch replays with success.

again the server's conf, client's conf, and plugin's conf are attached.

1- Is this a compatibility problem? (although ldap protocol is the same and 
also I've seen examples of this plugin working well when installed on ubuntu 
and the ldap is on a sun machine)
2- should I uninstall the plugin and built it from source? Do I need to do 
that? In the Download section I see the same version of the plugin to this on 
the epel repo (auth-ldap 2.0.3)

Original comment by alextasi...@gmail.com on 24 Jan 2014 at 11:08

Attachments:

GoogleCodeExporter commented 9 years ago 
trying to solve my problem, I uninstalled openvpn-auth-ldap from the repo and 
compiled it after downloaded from this place. But the problem is the same... In 
the log file:

No remote address supplied to OpenVPN LDAP Plugin 
(OPENVPN_PLUGIN_CLIENT_CONNECT).

From the source of the plugin I figured out that this log comes from the 
auth-ldap.m file and from "OPENVPN_EXPORT int openvpn_plugin_func_v1" (function 
?), when there is no remoteAddress (?).

Can anyone explain to me what this log error mean and when it appears ?

Original comment by alextasi...@gmail.com on 28 Jan 2014 at 9:48

GoogleCodeExporter commented 9 years ago 
problem solved by applying a patch, and recompiling the code. So this error 
disappeared and the authentication process ended successfully!!

* the patch found in a similar problem found in another issue here:
issue 4 - https://code.google.com/p/openvpn-auth-ldap/issues/detail?id=4

* the patch:
https://code.google.com/p/openvpn-auth-ldap/issues/attachmentText?id=4&aid=40005
000&name=openvpn_ldap_simpler_add_handler_4&token=mmvUD8PFFjdPHzHzTQxNvHhSfcI%3A
1391066590474

so this issue should be consider as duplicate and close ??
thank you

Original comment by alextasi...@gmail.com on 30 Jan 2014 at 8:13