search

threerings / openvpn-auth-ldap

Implements username/password authentication via LDAP for OpenVPN 2.x.
Other
134 stars 62 forks source link

On first auth get error (LDAP search failed: Operations error LdapErr: DSID-0C090748, comment) #59

Open dronmaxman opened 7 years ago

dronmaxman commented 7 years ago

Use deb packages on debian 8.5

openvpn                        2.3.4-5+deb8u1  
openvpn-auth-ldap              2.0.3-6.1

OpenVPN server.conf

local XX.XX.XX.XX
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth-ldap.conf"
username-as-common-name
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh2048.pem
cipher AES-128-CBC
#tls-auth keys/ta.key 0
server 10.90.1.0 255.255.255.0
ifconfig 10.90.1.1 255.255.255.0
push "route 172.30.0.0 255.255.0.0"
push "route 172.40.0.0 255.255.0.0"
#keepalive 10 120
client-cert-not-required
max-clients 20
client-to-client
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
   ping 10
   ping-restart 15
   push "ping 10"
   push "ping-restart 20"
verb 4
mute 20
daemon
mode server
#tls-server
comp-lzo no

auth-ldap.conf

<LDAP>
        # LDAP server URL
        URL             ldap://domain.test.com

         BindDN                 CN=VPN-group,OU=S,OU=Ac,OU=Sys,DC=domain,DC=test,DC=com
         Password       passwd
        Timeout         15
        TLSEnable       no
        FollowReferrals false

        #TLSCACertFile  /usr/local/etc/ssl/ca.pem
        # TLS CA Certificate Directory
        TLSCACertDir    /etc/ssl/certs
        # Client Certificate and key
        # If TLS client authentication is required
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem

        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite        ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
        BaseDN          "dc=domain,dc=test,dc=com"

        # User Search Filter
        SearchFilter    "(&(objectCategory=person)(sAMAccountName=%u)(memberof=CN=VPN-group,OU=NET,OU=SD,OU=Sys,DC=domain,DC=test,DC=com))"
        # Require Group Membership
        RequireGroup    false
        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

</Authorization>

Problem:

After restart openvpn-server (sudo service openvpn restart) and tried to connect to server get error. Client side:

AUTH: Received control message: AUTH_FAILED

Server side:

Tue Oct 18 23:02:01 2016 us=904260 212.90.62.145:65418 Local Options hash (VER=V4): '691e95c7'
Tue Oct 18 23:02:01 2016 us=904615 212.90.62.145:65418 Expected Remote Options hash (VER=V4): '66096c33'
Tue Oct 18 23:02:01 2016 us=904695 212.90.62.145:65418 TLS: Initial packet from [AF_INET]212.90.62.145:65418, sid=b678887a 0b3ec133
LDAP search failed: Operations error (000004DC: LdapErr: DSID-0C090748, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580)
LDAP user "dronmax" was not found.
Tue Oct 18 23:02:02 2016 us=2971 212.90.62.145:65418 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Oct 18 23:02:02 2016 us=3328 212.90.62.145:65418 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Tue Oct 18 23:02:02 2016 us=3800 212.90.62.145:65418 TLS Auth Error: Auth Username/Password verification failed for peer

All next authentication connection is success. Only first authentication has problem.

a7lan commented 1 year ago

Any news? A have this problem too. The bug has been open for 6 years ...

Darkentik commented 2 weeks ago

Any News? We have the same issue here with openvpn and ldap against microsoft active directory. The issue is from 2016 and got no response. :(