I can't seem to get the openvpn with ldap authenication to work with google authenicator? Is there a how to article for this somewhere...
I keep getting an error:
Mon Dec 4 16:58:33 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Dec 4 16:58:33 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec 4 16:58:33 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Dec 4 16:58:33 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Dec 4 16:58:33 2017 TUN/TAP device tun0 opened
Mon Dec 4 16:58:33 2017 TUN/TAP TX queue length set to 100
Mon Dec 4 16:58:33 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Dec 4 16:58:33 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Dec 4 16:58:33 2017 /sbin/ip addr add dev tun0 10.250.250.1/24 broadcast 10.250.250.255
Mon Dec 4 16:58:33 2017 GID set to nogroup
Mon Dec 4 16:58:33 2017 UID set to nobody
Mon Dec 4 16:58:33 2017 Listening for incoming TCP connection on [undef]
Mon Dec 4 16:58:33 2017 TCPv4_SERVER link local (bound): [undef]
Mon Dec 4 16:58:33 2017 TCPv4_SERVER link remote: [undef]
Mon Dec 4 16:58:33 2017 MULTI: multi_init called, r=256 v=256
Mon Dec 4 16:58:33 2017 IFCONFIG POOL: base=10.250.250.2 size=252, ipv6=0
Mon Dec 4 16:58:33 2017 IFCONFIG POOL LIST
Mon Dec 4 16:58:33 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Mon Dec 4 16:58:33 2017 Initialization Sequence Completed
Mon Dec 4 17:02:37 2017 TCP connection established with [AF_INET]151.237.232.133:44855
Mon Dec 4 17:02:38 2017 151.237.232.133:44855 TLS: Initial packet from [AF_INET]151.237.232.133:44855, sid=33663ceb 075aa5bc
AUTH-PAM: BACKGROUND: user 'test' failed to authenticate: Module is unknown
Mon Dec 4 17:02:40 2017 151.237.232.133:44855 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec 4 17:02:40 2017 151.237.232.133:44855 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Mon Dec 4 17:02:40 2017 151.237.232.133:44855 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Dec 4 17:02:41 2017 151.237.232.133:44855 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Mon Dec 4 17:02:41 2017 151.237.232.133:44855 Peer Connection Initiated with [AF_INET]151.237.232.133:44855
Mon Dec 4 17:02:43 2017 151.237.232.133:44855 PUSH: Received control message: 'PUSH_REQUEST'
Mon Dec 4 17:02:43 2017 151.237.232.133:44855 Delayed exit in 5 seconds
Mon Dec 4 17:02:43 2017 151.237.232.133:44855 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Dec 4 17:02:44 2017 151.237.232.133:44855 Connection reset, restarting [0]
Mon Dec 4 17:02:44 2017 151.237.232.133:44855 SIGUSR1[soft,connection-reset] received, client-instance restarting
I have one entry in the server.conf file pointing to:
# Google Authenticator PAM configuration
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn
and the openvpn file:
# BEGIN ANSIBLE MANAGED BLOCK
#openVPN config
auth requisite /lib/security/pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root forward_pass
auth required /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf use_first_pass
no matter what I try to tweak this is doesn't seem to want to authenicate properly...
Can someone please tell me what I am doing wrong here?