You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I can see that the LDAP query was successful as i haven't setup the encryption between LDAP and OpenVPN server, so i was able to sniff the traffic using WireShark.
All checks pass and this is the steps taken
Plugin will authenticate to LDAP using User from config file
Plugin will query for username in LDAP if exists.
Plugin will try to bind to LDAP using credentials client has provided
Plugin will then lookup for group membership (since it's setup in config file), the LDAP will return successful search results.
Plugin and server will crash displaying message I've posted above. But bellow is log file since client tried to authenticate:
<LDAP>
URL ldap://10.0.0.44
BindDN "cn=Admin User Name,cn=Users,dc=ot,dc=ov"
Password PasSW0rD
# Network timeout (in seconds)
Timeout 15
</LDAP>
<Authorization>
# Base DN
BaseDN "dc=ot,dc=ov"
# User Search Filter
SearchFilter "(sAMAccountName=%u)"
# Require Group Membership
RequireGroup true
<Group>
BaseDN "ou=Groups,dc=ot,dc=ov"
SearchFilter "(CN=VPN MEMBER)"
</Group>
</Authorization>
Bellow is server.conf
local ip.ad.dr.ess
port 1194
proto udp
dev tun
crl-verify crl.pem
ca ca.crt
cert server_ZzOOvOzIXZZdeuZU.crt
key server_ZzOOvOzIXZZdeuZU.key # This file should be kept secret
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3
dh none
ecdh-curve prime256v1
topology subnet
server 10.0.13.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.0.0"
push "route 10.8.0.0 255.255.0.0"
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option DNS 10.0.0.2"
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
explicit-exit-notify 1
tls-crypt tls-crypt.key 0
plugin /opt/openvpn-ldap-auth/lib/openvpn-auth-ldap.so /etc/openvpn/server/ldap.conf
client-cert-not-required
System that this is running on
CentOS Linux release 7.6.1810 (Core)
OpenVPN 2.4.7
OpenSSL 1.0.2
OpenLDAP 2.4.44
openvpn-auth-ldap version 2.0.4 compiled locally (but also tried with 2.0.3 from CentOS EPEL repo)
I've noticed that this issue happens ONLY if RequireGroup is true and Group search parameters are set. But even then, all queries sent by plugin to LDAP are OK and LDAP will return successful search results!
Any help on resolving the issue is greatly appreciated !
I've also noticed that FIRST query after the server is started always fails, even though Query is successfully received by LDAP and responses sent back to server - and server receives them (also sniffed using Wireshark).
When a client tries to authenticate to VPN via LDAP, i get the following error in log, after which OpenVPN Server crashes and needs to be restarted.
I can see that the LDAP query was successful as i haven't setup the encryption between LDAP and OpenVPN server, so i was able to sniff the traffic using WireShark.
All checks pass and this is the steps taken
This is the content of ldap.conf
Bellow is server.conf
System that this is running on
CentOS Linux release 7.6.1810 (Core)
OpenVPN 2.4.7
OpenSSL 1.0.2
OpenLDAP 2.4.44
openvpn-auth-ldap version 2.0.4 compiled locally (but also tried with 2.0.3 from CentOS EPEL repo)
I've noticed that this issue happens ONLY if RequireGroup is true and Group search parameters are set. But even then, all queries sent by plugin to LDAP are OK and LDAP will return successful search results!
Any help on resolving the issue is greatly appreciated !
I've also noticed that FIRST query after the server is started always fails, even though Query is successfully received by LDAP and responses sent back to server - and server receives them (also sniffed using Wireshark).
This is log of first login attempt
The text was updated successfully, but these errors were encountered: