search

threerings / openvpn-auth-ldap

Implements username/password authentication via LDAP for OpenVPN 2.x.
Other
134 stars 63 forks source link

cannot make it working with google workspace #87

Open ut0mt8 opened 2 years ago

ut0mt8 commented 2 years ago

Hi there,

I follow the configuration here https://support.google.com/a/answer/9089736?hl=en#zippy=%2Copenldap-ldapsearch-linux%2Copenvpn-community-version

My conf is 

<LDAP>
        URL     ldaps://ldap.google.com:636
        Timeout         15
        TLSEnable  no
        FollowReferrals yes
        TLSCACertDir    /etc/ssl/certs
        TLSCertFile /etc/openvpn/keys/ldap-client.crt
        TLSKeyFile /etc/openvpn/keys/ldap-client.key
 </LDAP>

<Authorization>
      BaseDN "dc=mycorp,dc=com"
      SearchFilter "(uid=%u)"
      RequireGroup false
</Authorization>

with the plugin configured in openvpn I have a common error : 

LDAP search failed: Can't contact LDAP server ((unknown error code))

tought using ldapsearch it worked well. I ended using a shell script like this but this not very satisfying : 

#!/bin/bash

export LDAPTLS_CIPHER_SUITE='NORMAL:!VERS-TLS1.3'
export LDAPTLS_CERT=/etc/openvpn/keys/ldap-client.crt
export LDAPTLS_KEY=/etc/openvpn/keys/ldap-client.key

readarray -t lines < $1

name=${lines[0]}
pass=${lines[1]}

base='dc=corp,dc=com'
host='ldaps://ldap.google.com'

dn=$(ldapsearch -LLL -H $host -b $base "(&(objectclass=posixAccount)(uid=$name))" dn 2>/dev/null | grep dn: | sed 's/dn: //')
ldapsearch -LLL -x -D "$dn" -w $pass -H $host -b $base -s sub "(uid=$name)" mail > /dev/null 2>&1

if [ "$?" = "0" ]; then
  echo "ok"
  exit 0
else
  echo "ko"
  exit 1
fi
ut0mt8 commented 2 years ago

Replying to myself :

adding : TLS_CIPHER_SUITE NORMAL:!VERS-TLS1.3 to ldap.conf work

luckyswede commented 2 years ago

Hi, I have the exact same error. Do you mean that setting TLSCipherSuite NORMAL:!VERS-TLS1.3 in the LDAP section of ldap.conf works for you? That doesn't work for me.

ut0mt8 commented 2 years ago

@luckyswede yes it work on debian 10.

the exact line is : 

TLS_CIPHER_SUITE        NORMAL:!VERS-TLS1.3
ut0mt8 commented 2 years ago

if no you can use my script which is doing pretty the same thing ;)

luckyswede commented 2 years ago

Ok thanks. Thats weird, openvpn-auth-ldap complains when starting up because it cannot parse the TLS_CIPHER_SUITE config entry, I had to change to TLSCipherSuite. But, that aint working :( I'm on alpine tho, using an updated version of https://github.com/kylemanna/docker-openvpn/blob/master/Dockerfile

luckyswede commented 2 years ago

I was able to get it working using stunnel as a proxy (ref: https://support.google.com/a/answer/9089736?hl=en#stunnel&zippy=%2Copenvpn-community-version), and configure ldap to use stunnel instead of accessing google ldap directly.

ismail-oc commented 2 years ago

Ok thanks. Thats weird, openvpn-auth-ldap complains when starting up because it cannot parse the TLS_CIPHER_SUITE config entry, I had to change to TLSCipherSuite. But, that aint working :( I'm on alpine tho, using an updated version of https://github.com/kylemanna/docker-openvpn/blob/master/Dockerfile

Hi, referring to the documentation the variable is TLSCipherSuite, it works for me