I have been reading and trying in vain for the past few days so I would really appreciate dome assistance.
I am trying to get openVPN to authenticate to Active Directory whixh is on Windows 2012.
I run OpenVPN 2.5 on FreeBSD. My config files are below. From the client I am getting wrong credentials.
On the server I get this error:
Code: Select all
LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v23f0)
Unable to bind as CN=openvpnquery,CN=Users,DC=mayberryinv,DC=net
LDAP connect failed.
2021-01-12 08:12:51 us=33643 72.252.144.69:58128 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2021-01-12 08:12:51 us=33686 72.252.144.69:58128 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-ldap.so
2021-01-12 08:12:51 us=34192 72.252.144.69:58128 TLS Auth Error: Auth Username/Password verification failed for peer
auth-ldap.conf
Code: Select all
<LDAP>
# LDAP server URL
URL ldap://192.168.1.18:389
BindDN openvpnquery@domain.com
Password Password
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "DC=domain,DC=net"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>
Server config
local 192.168.1.5
proto udp4
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/server/dh.pem
server 10.9.0.0 255.255.255.0
push route x.x.x.x
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DOMAIN domain.net"
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-version-min 1.2
cipher AES-256-GCM
data-ciphers AES-256-GCM
persist-key
persist-tun
crl-verify /usr/local/etc/openvpn/crl/crl.pem
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/server/auth-ldap.conf"
reneg-sec 28800
auth SHA256
Client config
client
dev tun
;proto tcp
proto udp
remote z.z.z.z
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
verb 3
;mute 20
auth-nocache
auth SHA256
auth-user-pass
allow-pull-fqdn
;redirect-gateway def1
reneg-sec 0