LDAP-Auth

How to customize and extend your OpenVPN installation.
Post Reply
petrocelli1966
OpenVpn Newbie
Posts: 16
Joined: Wed Dec 23, 2020 10:12 pm

LDAP-Auth

Post by petrocelli1966 » Tue Jan 12, 2021 3:43 pm

Hi All,
I have been reading and trying in vain for the past few days so I would really appreciate dome assistance.
I am trying to get openVPN to authenticate to Active Directory whixh is on Windows 2012.
I run OpenVPN 2.5 on FreeBSD. My config files are below. From the client I am getting wrong credentials.
On the server I get this error:

Code: Select all

LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v23f0)
Unable to bind as CN=openvpnquery,CN=Users,DC=mayberryinv,DC=net
LDAP connect failed.
2021-01-12 08:12:51 us=33643 72.252.144.69:58128 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2021-01-12 08:12:51 us=33686 72.252.144.69:58128 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-ldap.so
2021-01-12 08:12:51 us=34192 72.252.144.69:58128 TLS Auth Error: Auth Username/Password verification failed for peer
I am sure the password is correct however.

auth-ldap.conf

Code: Select all

<LDAP>
        # LDAP server URL
        URL             ldap://192.168.1.18:389
        BindDN         openvpnquery@domain.com
        Password        Password
        Timeout         15
        TLSEnable       no
        FollowReferrals no
</LDAP>

<Authorization>
        BaseDN          "DC=domain,DC=net"
        SearchFilter    "sAMAccountName=%u"
        RequireGroup    false
</Authorization>
Server config

local 192.168.1.5
proto udp4
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/server/dh.pem
server 10.9.0.0 255.255.255.0
push route x.x.x.x
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DOMAIN domain.net"
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-version-min 1.2
cipher AES-256-GCM
data-ciphers AES-256-GCM
persist-key
persist-tun
crl-verify /usr/local/etc/openvpn/crl/crl.pem
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/server/auth-ldap.conf"
reneg-sec 28800
auth SHA256


Client config

client
dev tun
;proto tcp
proto udp
remote z.z.z.z
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
verb 3
;mute 20
auth-nocache
auth SHA256
auth-user-pass
allow-pull-fqdn
;redirect-gateway def1
reneg-sec 0
Last edited by Pippin on Tue Jan 12, 2021 4:42 pm, edited 1 time in total.
Reason: Formatting

petrocelli1966
OpenVpn Newbie
Posts: 16
Joined: Wed Dec 23, 2020 10:12 pm

Re: LDAP-Auth [Solved]

Post by petrocelli1966 » Wed Jan 13, 2021 1:21 pm

Well things have started working now. I had to change the line BaseDN "DC=domain,DC=net" to BaseDN "OU=Units,DC=domain,DC=net" which is the OU the user is in. Not sure why this happened. We have a huge user base in AD. Not sure if it was failing really or just timing out but it was saying auth-fail. Anyway, it is working now so this can be closed. Thanks.

Post Reply