Open ghost opened 6 years ago
michalsladek
commented
5 years ago I have similar problem, I have just added it to comments of issue 30. https://github.com/threerings/openvpn-auth-ldap/issues/30 It seems that the plugin is unable to verify server's certificate.
avs262
commented
5 years ago I was able to get this plugin working with a self-signed certificate by doing the following:
I noticed with a strace of the openvpn pid that the plugin was reading /etc/ldap/ldap.conf and ldaprc so I initially set 'TLS_REQCERT' to 'allow' within both but the plugin ignored it. Then I found the "Always require a valid certificate" definition within the source files.
softwareinfojam
commented
3 years ago I followed the instructions. I made the adjustment in the makefile and recompiled the plugin and restarted the openvpn. Sadly, when I tried again, I got the same error, "LDAP bind failed immediately: Can't contact LDAP Server Unable to bind as user@mydomain.com. I am running plugin version 2.0.4. It works with the same credentials using the unencrypted LDAP.
saulp
commented
3 years ago I found a simpler workaround that does not require a code change to lower the TLS requirement.
In a nutshell: One needs to add the CA cert to the system's truststore. (In CentOS 8 I did this by copying it in pem format to /etc/pki/ca-trust/source/anchors/, and then ran the "update-ca-trust" command.)
It looks like the plugin ignores the "TLSCACertFile" config setting, but as long as it's in the system's truststore it should work. If this is not sufficient to fix your connection issue, the good news is once this is is out of the way the plugin will be more verbose about the reason (in the openvpn logfile).
Other issues that I needed to also fix were "EE certificate key too weak" (fixed by issuing a new cert for the AD server signed with a 2048-bit key this time*), and "hostname does not match peer certificate" (fixed by entering in the plugin's URL setting the exact same hostname present in the cert).
* The "weak key" issue can also be worked around by lowering the TLS security level, here's a config line that worked for me to connect to an AD server signed with a 1024-bit key, though I wouldn't recommend it if you can user a stronger key instead:
TLSCipherSuite @SECLEVEL=1:ALL:!ADH:@STRENGTH
Fisherworks
commented
2 years ago After a entire afternoon search and test, I finally make this #77 work - to apply the patch by @k0ste, thanks and that's now a great plugin with your work!
It does require some effort to build the new .so file on CentOS 7, now this plugin can work very well with self-signed cert in LDAP server side.
The updated conf file can be something like this:
<LDAP>
# LDAP server URL
URL ldaps://ldap.example.com
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=readonly,ou=system,dc=example,dc=com
# Bind Password
Password xxxxx
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
TLSRequireCert no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# DO NOT PUT any more cert file or path here
</LDAP>
<Authorization>
... (no change)
</Authorization>
ice1374
commented
2 years ago I used REDHAT 7 and successfully move compiled lib to RHEL8. On RHEL8 I cannot compile it (issues with objC) And openvpn can authenticate on Windows Server 2019 DC with default settings (LDAP server signing reqs: Require signing)
Steps to recompile lib with patch:
git clone https://github.com/guywyers/openvpn-auth-ldap
yum install autoconf libtool make openvpn openldap openvpn-devel openldap-devel openvpn automake openssl-devel libobjc gcc-objc patch yum groupinstall 'Development Tools'
wget https://github.com/skvadrik/re2c/archive/refs/tags/3.0.tar.gz tar xzvf 3.0.tar.gz ./release.sh ./autogen.sh ./configure make install
Apply patch #77
git clone https://github.com/k0ste/openvpn-auth-ldap-rfc2307 patch -ruN -d openvpn-auth-ldap < openvpn-auth-ldap-rfc2307/77.patch
enter names manually to files for patching when asking: i.e src/TRAuthLDAPConfig.h etc
install openvpn-auth-ldap
./regen.sh ./configure --with-openvpn=/usr/include/openvpn CFLAGS="-fPIC" OBJCFLAGS="-std=gnu11"
make
compiled lib in src/
Plugin location /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so
I can succesfully connect with config above ( URL ldaps://ldap.example.com) without specify certs options. OpenVPN will connect with TCP/636 to DC.
DC must have correct cert for FQDN: ldap.example.com (certmgr.msc - computer - personal)
For example it possible to generate cert and import with following commands:
openssl genrsa -out dc1.key 2048
openssl req -new \ -key dc1.key -out dc1.csr -subj "/CN=dc1.test.com" \ -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "subjectKeyIdentifier=hash" \ -addext "extendedKeyUsage=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2"
openssl x509 -req -in dc1.csr -CA /etc/openvpn/keys/easyrsa/pki/ca.crt -CAkey /etc/openvpn/keys/easyrsa/pki/private/ca.key -CAcreateserial -out dc1.crt -days 720 -sha256
openssl verify -CAfile /etc/openvpn/keys/easyrsa/pki/ca.crt /etc/openvpn/auth/12/dc1.crt openssl pkcs12 -export -out dc1.pfx -inkey dc1.key -in dc1.crt
Import dc1.pfs to DC
I have an LDAP server (ApacheDS) running:
I connect to this server through various other systems (our code repo, jenkins, etc all authenticate over Encrypted ldaps protocol to it over port 10686 so I know the server is responding fine over TLS. It uses self-signed certs but that hasn't been an issue so far with other services connecting to it.
My openvpn logs don't give me much other than generic logging:
Different configs I've tried:
WORKS: (unencrypted)
DOES NOT WORK:
ALSO DOES NOT WORK:
ALSO DOES NOT WORK:
ALSO DOES NOT WORK: