[PATCH] RFC2307 group support

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?

testplugin /etc/openvpn/rusers.auth
Username: shin.andrey
Password: 
Authorization Failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-connect failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-disconnect failed!

What is the expected output? What do you see instead?

I see that the authorization was successful, but getting that fail

What version of the product are you using? On what operating system?

OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 20 2008
auth-ldap-2.0.3
DISTRIB_DESCRIPTION="Ubuntu 8.04"
Linux dir 2.6.24-16-server

Please provide any additional information below.

<LDAP> 
        URL             ldap://dir   
        BindDN          cn=admin,dc=XXX,dc=local      
        Password        pass
        Timeout         15
</LDAP>
<Authorization>    
        BaseDN          "dc=XXX,dc=local"     
        SearchFilter     "(&(objectClass=posixAccount)(cn=%u))"   
        RequireGroup    true      
        <Group>
                BaseDN              "ou=groups,dc=XXX,dc=local"
                SearchFilter        "(cn=Jabber)"
                MemberAttribute     memberUid       
        </Group>
</Authorization>

ldapsearch -x -b "ou=groups,dc=XXX,dc=local" -D "cn=admin,dc=XXX,dc=local"
-W "(&(cn=Jabber)(memberUid=shin.andrey))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=XXX,dc=local> with scope subtree
# filter: (&(cn=Jabber)(memberUid=shin.andrey))
# requesting: ALL
#

# Jabber, groups, XXX.local
dn: cn=Jabber,ou=groups,dc=XXX,dc=local
objectClass: posixGroup
objectClass: top
cn: Jabber
gidNumber: 1006
memberUid: shin.andrey

Original issue reported on code.google.com by louk...@gmail.com on 6 Dec 2008 at 9:34

GoogleCodeExporter commented 9 years ago

Add:
LDAP's log
Dec  7 02:44:05 dir slapd[10536]: daemon: read active on 15
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=8 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=9 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=10 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: connection_get(15)
Dec  7 02:44:05 dir slapd[10536]: connection_get(15): got connid=11
Dec  7 02:44:05 dir slapd[10536]: connection_read(15): checking for input on 
id=11
Dec  7 02:44:05 dir slapd[10536]: conn=11 op=3 do_compare
Dec  7 02:44:05 dir slapd[10536]: >>> dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>
Dec  7 02:44:05 dir slapd[10536]: <<< dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>, <cn=jabber,ou=groups,dc=XXX,dc=local>
Dec  7 02:44:05 dir slapd[10536]: conn=11 op=3 CMP
dn="cn=Jabber,ou=groups,dc=XXX,dc=local" attr="memberUid"
Dec  7 02:44:05 dir slapd[10536]: do_compare: dn
(cn=Jabber,ou=groups,dc=XXX,dc=local) attr (memberUid) value
(cn=shin.andrey,ou=users,dc=XXX,dc=local)

I think the value should be "shin.andrey" and no
"cn=shin.andrey,ou=users,dc=XXX,dc=local"

Original comment by louk...@gmail.com on 6 Dec 2008 at 9:49

GoogleCodeExporter commented 9 years ago

Howdy. The plugin expects groups to be the LDAP group format used in rfc2307bis,
ActiveDirectory, OpenDirectory, etc, where the group membership is specified by
including the full DN to the user's record.

The plugin could/should be extended to support rfc2307 posix groups.

Original comment by landon.j.fuller@gmail.com on 11 Dec 2008 at 10:40

GoogleCodeExporter commented 9 years ago

How can we expand the plug?

Original comment by louk...@gmail.com on 12 Dec 2008 at 7:25

GoogleCodeExporter commented 9 years ago

Here's a patch that adds rfc2307 support. Applies to 2.0.3.

-Paul

Original comment by plr...@gmail.com on 12 Dec 2009 at 9:16

Attachments:

auth-ldap-rfc2307.patch

GoogleCodeExporter commented 9 years ago

You can enable the above patch by adding "RFC2307bis true/false" to the groups
section of your config.

Original comment by plr...@gmail.com on 12 Dec 2009 at 9:18

GoogleCodeExporter commented 9 years ago

Thanks for the patch! I will review it shortly.

Original comment by landon.j.fuller@gmail.com on 13 Dec 2009 at 8:00

Changed title: [PATCH] RFC2307 group support
Changed state: Accepted
Added labels: Type-Enhancement
Removed labels: Type-Defect

GoogleCodeExporter commented 9 years ago

Issue 9 has been merged into this issue.

Original comment by landon.j.fuller@gmail.com on 13 Dec 2009 at 8:01

GoogleCodeExporter commented 9 years ago

This is my solution w/o plugin

add in openvpn.conf:
auth-user-pass-verify /etc/openvpn/auth-ldap.pl via-env

cat /etc/openvpn/auth-ldap.pl
#!/usr/bin/perl -w
use Net::LDAP;
use strict;

my $ldap;
my $result;

my $opt_uri = "dir.XXX.local";
my $opt_user = $ENV{'username'};
my $opt_passwd = $ENV{'password'};
my $opt_common = $ENV{'common_name'};
my $opt_group = "cn=VPN,ou=groups,dc=XXX,dc=local";
my $opt_binddn = "cn=".$opt_user.",ou=users,dc=XXX,dc=local";

$ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!");

$result = $ldap->bind($opt_binddn, password=>$opt_passwd);
$result->code and die($result->error);
$result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$opt_user))");
$result->code();
if ($result->count == 1) { exit 0; }
unless($result->count){ exit 1; }

Original comment by louk...@gmail.com on 14 Dec 2009 at 5:18

GoogleCodeExporter commented 9 years ago

Issue 15 has been merged into this issue.

Original comment by landon.j.fuller@gmail.com on 29 Dec 2009 at 4:11

GoogleCodeExporter commented 9 years ago

I tested the patch in a dev scenario, and it appears to be working well so far.
Thanks plrca2.
:)

I was having to use openldap-pam and nss_ldap to get group comparisons working. 
This
is much better, as I don't really want to 'pollute' the system login with ldap 
data
(it is just a vpn endpoint, and shouldn't have shell users logging in).

Original comment by elij...@gmail.com on 31 Dec 2009 at 11:13

GoogleCodeExporter commented 9 years ago

how do i aply the patch

Original comment by amaral8...@googlemail.com on 28 Mar 2010 at 1:57

GoogleCodeExporter commented 9 years ago

i have installed openvpn-auth-ldap-2.0.3-3.el5.i386 from el repo on centos

the plugin works fine if I set RequireGroup to false.

If if set RequireGroup to true then it stops working

so the problem is in the authorization part of groups

please see a copy of my config

<Authorization>
        # Base DN
        BaseDN          "dc=example,dc=com"

        # User Search Filter
        SearchFilter    "uid=%u"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "cn=test"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

i'm using openldap for this.

could you please confirm that this is duable?

if so could anyone help? please

Original comment by amaral8...@googlemail.com on 28 Mar 2010 at 2:11

GoogleCodeExporter commented 9 years ago

Hi!

Has the patch been accepted?
Will there be a new release with this patch applied?

Regards.

Original comment by 8424...@gmail.com on 25 Oct 2010 at 6:35

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

I have built a RPM for RHEL/CentOS 5 x86_64 with the rfc2307 patch(see comment 
#4) applied. 

Also, a source rpm is provided. you are build it for other platform.

Many thanks to Paul for this patch.

Original comment by prin...@gmail.com on 8 Jul 2011 at 3:33

Attachments:

GoogleCodeExporter commented 9 years ago

Why this patch is still pending? Many other project has similiar switch.

Take a look at AuthLdapGroupAttributeIsDN in mod_authnz_ldap for apache:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattribute
isdn

Original comment by nicola....@gmail.com on 10 Jul 2011 at 6:36

GoogleCodeExporter commented 9 years ago

we are affected by this too and have to go back to using pam_ldap instead. we 
will be watching this space ;-)

Original comment by thilo.ba...@gmail.com on 15 Nov 2011 at 8:31

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

This is old but it needs some resurrection as it has driven me to the brink of 
insanity.  After installing the patched version via the RPM that Paul built 
(thanks) there are still issues with the MemberAttribute type.  Here is my 
bob.local OpenVPN Group config:

<Authorization>
        # Base DN
        BaseDN          "ou=People,dc=bob,dc=local"

        # User Search Filter
        SearchFilter    "(&(uid=%u))"
        #(accountStatus=active))"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                # Match full user DN if true, uid only if false
                RFC2307bis      true

                BaseDN          "ou=Groups,dc=bob,dc=local"
                SearchFilter    "(|(cn=vpn))"
                MemberAttribute  uniqueMember #What ACTUAL attribute goes here??!?!?
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

With that the connection binds find, finds the user in the vpn group and 
returns only 1 entry, but bails out on the MemberAttribute.  In the LDAP logs 
it shows err=16: "slapd[2783]: conn=3504 op=3 RESULT tag=111"  The OpenLdap 
admin manual says that this is a "noSuchAttribute (16) -- Indicates that the 
named entry does not contain the specified attribute or attribute value."  I 
tried looking up attributes for the group but when I tried something like 
gid=1013, it still errored out.  This is Centos 5.8 OpenVPN 2.2.2-1.  Can 
anyone help/clarify this?

Original comment by Bro...@gmail.com on 24 Jun 2012 at 1:20

GoogleCodeExporter commented 9 years ago

Hi, I just instal my vpn server abd ofund this issue I have:

openvpn-auth-ldap-2.0.3-6.el6.x86_64
openvpn-2.3.2-2.el6.x86_64
On Centos 6.5 

I did downloaded the patch and recompiled the rpm, I set the flag  RFC2307bis  
TRUE, but I still get authentication issues whenevr I have the requiregroup set 
to true.

Any inputs on this as it seems this issue is quite old, originally reported on 
2008. 5 yrs ago.

Thank you.

Original comment by rafi...@gmail.com on 10 Dec 2013 at 8:14

GoogleCodeExporter commented 9 years ago

I had the same issue, the patch still works with Debian's 
openvpn-auth-ldap-2.0.3.
I use Gosa and I had to apply the patch to have group authorization.
I created a Debian patch and rebuilt the package.

# apt-get build-dep openvpn-auth-ldap
# apt-get source openvpn-auth-ldap
$ cd openvpn-auth-ldap-...
$ quilt import -P RFC2307.patch ../auth-ldap-rfc2307.patch
$ quit push
$ dpkg-buildpackage -us -uc
$ cd ..
# dpkg -i ...

Then modify the config as described in comments above.

Original comment by netantho on 26 Feb 2014 at 11:03

GoogleCodeExporter commented 9 years ago

Hey netantho,

Is your ldap group authentication working?
When you say "Then modify the config as described in comments above", which 
comments do you mean?
Could you show us your successful configuration for the <Group> section?
Thanks!

Original comment by john.ski...@gmail.com on 9 May 2014 at 8:11

GoogleCodeExporter commented 9 years ago

thanks for the patch... it works great!

Original comment by moritz.z...@gmail.com on 12 May 2014 at 9:12

GoogleCodeExporter commented 9 years ago

Anyone get this working with open ldap?
I can authenticate perfectly if I set the "RequireGroup" to false.
I'm thinking it is the syntax difference in using Open Directory (Mac OS X 
10.6.8 Server).

Original comment by john.ski...@gmail.com on 22 May 2014 at 9:55

GoogleCodeExporter commented 9 years ago

Are binary packages for this patch planned?

Thank you and regards, Giulio

Original comment by gmar...@gmail.com on 26 Jun 2014 at 4:25

GoogleCodeExporter commented 9 years ago

I attach binary packages for Ubuntu 10.04 LTS lucid and Ubuntu 12.04 LTS 
precise, they could be useful for someone else!

They were prepared following the steps from comment #21.

Original comment by gmar...@gmail.com on 27 Jun 2014 at 8:30

Attachments:

[openvpn-auth-ldap_2.0.3-1.1_amd64 (precise).deb](https://storage.googleapis.com/google-code-attachments/openvpn-auth-ldap/issue-7/comment-26/openvpn-auth-ldap_2.0.3-1.1_amd64 %28precise%29.deb)
[openvpn-auth-ldap_2.0.3-1_amd64 (lucid).deb](https://storage.googleapis.com/google-code-attachments/openvpn-auth-ldap/issue-7/comment-26/openvpn-auth-ldap_2.0.3-1_amd64 %28lucid%29.deb)

GoogleCodeExporter commented 9 years ago

I have a question,if domain account binding the hostname on the domain 
controller,so cann't login OpenVPN  
please help me

Original comment by y409653...@gmail.com on 14 Nov 2014 at 8:03

q5616417 commented 5 years ago

Hello, or I am too silly or it still does not work on debian stretch. I used the ubuntu-build-script which passes without error. But the ubuntu-package-script gives "Invalid package configuration: Cannot package the path '/tmp/openvpn-auth-ldap-build/1', does it exist? {:level=>:error}" ./configure finishes with an error becous it can't find openvpn sources. I got them from http://deb.debian.org/debian/pool/main/o/openvpn/openvpn_2.4.0.orig.tar.gz and started ./configure --with-openvpn=../openvpn-2.4.0/src/ but still it says "Could not locate a working openvpn source tree." Nevertheless, the ubuntu-build-script obviously creates a src/openvpn-auth-ldap.so which I copied to /usr/local/lib. I made the appropriate changes in the auth-ldap.conf:

RequireGroup true

RFC2307bis true BaseDN "ou=Groups,dc=mydomain,dc=tld" SearchFilter "(|(cn=VPN-Users))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng

And in the server.conf: plugin "/usr/local/lib/openvpn-auth-ldap.so" "/etc/openvpn/auth/auth-ldap.conf"

But I still get authentication failures, that I don't get if "RequireGroup false" is set. I verified that the user I take for login is in VPN-Users group.

So, for my comfort it would be great to have a working .deb-package for Debian stable. If this is not possible, any advice that helps me to authenticate against my "VPN-Users" group would be appreciated.

Thank you in advance

Thomas

k0ste commented 5 years ago

So, for my comfort it would be great to have a working .deb-package for Debian stable. If this is not possible, any advice that helps me to authenticate against my "VPN-Users" group would be appreciated.

https://packages.debian.org/buster/openvpn-auth-ldap

q5616417 commented 5 years ago

Hello k0ste, thank you very much for your advice. I installed the debian-testing-package (after satisfying the dependencies) but still it did not want to work. I don't know why. But I found a workaround for me: I am filtering the group in the User SearchFIlter:

# User Search Filter SearchFilter "(&(uid=%u)(objectClass=person)(memberof=cn=vpnusergroup,ou=groups,dc=mydomain,dc=tld))"

Now I'm curious if this would work with the version of openvpn-ldap-auth in the debian-stable-package, too. Trying it out.

Best regards

Thomas

threerings / openvpn-auth-ldap

[PATCH] RFC2307 group support #7