Open farvour opened 6 years ago
I opened a PR for this issue #67 which I'm hoping helps solve this issue.
Had this weird packet losses. I found a workaround (actually solution) using auth-user-pass-verify script which support deferred auth since OpenVPN 2.5+.
Some source links: https://community.openvpn.net/openvpn/ticket/222 https://github.com/waldner/openvpn-ldap
OpenVPN server config file:
...
script-security 3
auth-user-pass-verify /etc/openvpn/ldap_auth.sh via-env
...
Example of ldap_auth.sh script (use your <BINDDN>
and <BASEDN>
). ldapsearch should be installed where script will run.
#!/bin/bash
ourname=ldap_auth.sh
facility=auth
output=$(mktemp)
error=$(mktemp)
# child process - try simple shell backgrounding
(
ldapsearch -h auth.local -D "cn=${username},<BASEDN>" -b "<BINDDN>" -s base "objectClass=*" 1.1 -w "${password}" 1>"${output}" 2>"${error}"
# save exist status here, otherwise the following assignment resets $?
status=$?
if [ $status -ne 0 ]; then
logger -p "${facility}.err" -t "${ourname}" "There was an error authenticating user ${username} against AD."
logger -p "${facility}.err" -t "${ourname}" "The error was: $(tr '\n' ' ' < "${error}" )" # turn multiline into single line
echo "0" > "${auth_control_file}"
exit 1
fi
# look for the "numEntries" line in the output of ldapsearch
numentries=$(awk '/numEntries:/{ne = $3} END{print ne + 0}' "$output")
if [ $numentries -eq 1 ]; then
logger -p "${facility}.info" -t "{$ourname}" "User ${username} authenticated successfully"
echo "1" > "${auth_control_file}"
exit 0
else
logger -p "${facility}.err" -t "${ourname}" "User ${username} NOT authenticated (user not in group?)"
echo "0" > "${auth_control_file}"
exit 1
fi
) &
# tell openvpn that auth will be deferred
exit 2
After using this you should see deferred auth messages in OpenVPN server log: Username/Password authentication deferred for username 'username'
Hope this will help
Thank you very much @kirik . We were facing the exact same issue. And we replaced as well the module by a bash script.
Here is our version of the script that perform the check against 2 different DN (we have real user and service account)
#!/bin/bash
ourname=ldap_auth.sh
facility=auth
output=$(mktemp)
error=$(mktemp)
log_this () {
echo "$1"
}
log_this "Connection from username: $username at $(date)"
exit_if_ok() {
if [ $status -eq 0 ]; then
numentries=$(awk '/numEntries:/{ne = $3} END{print ne + 0}' "$output")
if [ $numentries -eq 1 ]; then
log_this "User ${username} authenticated successfully"
echo "1" > "${auth_control_file}"
exit 0
fi
fi
}
# child process - try simple shell backgrounding
(
# check email
ldapsearch -x -H ldaps://ldap.domain:636 \
-D "uid=${username},ou=People,o=domain.com" \
-w "${password}" \
-b "ou=People,o=domain.com" \
"uid=${username}" 1>"${output}" 2>"${error}"
status=$?
exit_if_ok
# # check service account
ldapsearch -x -H ldaps://ldap.domaint:636 \
-D "cn=${username},ou=Applications,o=domain.com" \
-w "${password}" \
-b "ou=Applications,o=domain.com" \
"cn=${username}" 1>"${output}" 2>"${error}"
status=$?
exit_if_ok
log_this "User ${username} NOT authenticated"
echo "0" > "${auth_control_file}"
exit 1
) &
# tell openvpn that auth will be deferred
exit 2
Hello, there is an OpenVPN ticket regarding packet loss when auth plugins are used with OpenVPN.
https://community.openvpn.net/openvpn/ticket/585#no1
This plugin does not seem to contain the asychronous method calls?