Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
adamincanada
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 03, 2010 4:28 am
Post
by adamincanada » Sun Jan 03, 2010 4:33 am
This Perl script can be used for authentication with Active Directory and for connection tracking.
Add the following lines to your server configuration file:
auth-user-pass-verify /path-to/openvpn-super.pl via-env
client-connect /path-to/openvpn-super.pl
client-disconnect /path-to/openvpn-super.pl
/etc/openvpn-super.conf
Code: Select all
# The Windows domain to use for Kerberos authentication
domain = example.ca
# The domain controllers to use, in order of preference
dc = dc1.example.ca
dc = dc2.example.ca
# The Active Directory group that the user must be in
group = cn=VPN Users,ou=SomeOU,dc=example,dc=ca
# The mail server to use for sending notifications
mailserver = mail.example.ca
# The recipients for notification messages
mailto = john.smith\@example.ca
mailto = mike\@example.ca
# The log file to use
logfile = /var/log/openvpn.log
openvpn-super.pl see below
Last edited by
adamincanada on Sun Jan 03, 2010 5:45 pm, edited 1 time in total.
-
ecrist
- Forum Team
- Posts: 237
- Joined: Wed Nov 26, 2008 10:33 pm
- Location: Northern Minnesota, USA
-
Contact:
Post
by ecrist » Mon Jan 04, 2010 2:26 pm
Here is the perl script.
You do not have the required permissions to view the files attached to this post.
-
rooneymu
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Jan 11, 2011 3:54 am
Post
by rooneymu » Mon Feb 07, 2011 6:14 pm
What I should config on client.opvn?
-
adamincanada
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 03, 2010 4:28 am
Post
by adamincanada » Tue Feb 08, 2011 1:36 am
I use the following lines:
# Authentication setup
client-cert-not-required
username-as-common-name
auth-user-pass-verify /bin/scripts/openvpn-super.pl via-env
# Notification and logging setup
client-connect /bin/scripts/openvpn-super.pl
client-disconnect /bin/scripts/openvpn-super.pl
Hope it works!
-
tombodet
- OpenVPN User
- Posts: 22
- Joined: Wed Jun 29, 2011 5:32 pm
Post
by tombodet » Tue Aug 02, 2011 7:08 pm
Anyone try this on 64bit?
I'm getting the following when I run directly from the command line as a test:
Can't locate Authen/Krb5/Simple.pm in @INC (@INC contains: /usr/lib/perl5/5.8.8/Filter/ /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at auth_ad_super.pl line 581.
BEGIN failed--compilation aborted at auth_ad_super.pl line 581.
Funny thing is, Simple.pm is in fact in the first @INC directory:
find / -name Simple.pm
/usr/lib/perl5/5.8.8/Filter/Simple.pm
/usr/lib/perl5/5.8.8/Test/Simple.pm
This is Centos 5.6 with perl installed from yum:
perl.x86_64 4:5.8.8-32.el5_5.2 installed
perl-Authen-Krb5.x86_64 1.9-1.el5 installed
perl-String-CRC32.x86_64 1.4-2.fc6 installed
Am I missing another package or do I need to set something else since it's 64 bit?
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Wed Aug 03, 2011 10:58 am
try
Code: Select all
yum install perl-Authen-Krb5-Simple
-
tombodet
- OpenVPN User
- Posts: 22
- Joined: Wed Jun 29, 2011 5:32 pm
Post
by tombodet » Wed Aug 03, 2011 12:45 pm
janjust wrote:try
Code: Select all
yum install perl-Authen-Krb5-Simple
Doesn't exist. Besides the base repo I have EPEL installed as well.
edit:
Hold the phone, found an rpm for it. That got me past the line then it wanted perl-LDAP. That got me what I believe is a running script:
./auth_ad_super.pl
2011-08-03 08:55:12 Invalid script_type: "" (expected client-connect, client-disconnect, or auth-user-pass-verify)
If it's giving me that output I believe it's compiling, I now need to fix the config?
Last edited by
tombodet on Wed Aug 03, 2011 12:58 pm, edited 1 time in total.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Wed Aug 03, 2011 12:53 pm
hmmm I use CentOS 5 as well; on my box it's in the rpmforge repo:
Code: Select all
[rpmforge]
name = RHEL $releasever - RPMforge.net - dag
baseurl = http://apt.sw.be/redhat/el5/en/$basearch/rpmforge
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
-
tombodet
- OpenVPN User
- Posts: 22
- Joined: Wed Jun 29, 2011 5:32 pm
Post
by tombodet » Wed Aug 03, 2011 1:00 pm
Sorry jan I didn't refresh and updated my previous post.
I didn't realize rpmforge had a repo, that's actually where I got the rpm directly from.
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Wed Aug 03, 2011 1:13 pm
yes, now fix the config and add the lines to the server config as posted earlier:
Code: Select all
# Authentication setup
client-cert-not-required
username-as-common-name
auth-user-pass-verify /bin/scripts/openvpn-super.pl via-env
# Notification and logging setup
client-connect /bin/scripts/openvpn-super.pl
client-disconnect /bin/scripts/openvpn-super.pl
if your script is named 'auth_ad_super.pl' then adjust accordingly.
-
izghitu
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Aug 29, 2011 6:51 pm
Post
by izghitu » Mon Aug 29, 2011 7:34 pm
Hi,
I tried to set this up but whenever I try to auth using a user/pass from the AD I get this in the openvpn logs:
Code: Select all
WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
TLS Auth Error: Auth Username/Password verification failed for peer
I get this when running it from command line:
Code: Select all
[root@vpn openvpn]# ./openvpn-super.pl -c /etc/openvpn-super.conf -d
Configuration file parameters:
dc HASH(0x87a6d60)
-> 0 HOST
domain domain.com
group cn=Remote Desktop Users,ou=Domain Controllers,dc=domain,dc=com
logfile /var/log/openvpn.log
mailserver localhost
recipients HASH(0x8bc0db0)
-> email@gmail.com
2011-08-29 17:46:43 Invalid script_type: "" (expected client-connect, client-disconnect, or auth-user-pass-verify)
Am I doing something wrong?
Please help
-
izghitu
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Aug 29, 2011 6:51 pm
Post
by izghitu » Mon Aug 29, 2011 7:48 pm
I've set the log file to /var/log/openvpn.log in both the config and in the script and set the debug to 1 but I get no output in /var/log/openvpn.log when authenticating via openvpn
Please help
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Tue Aug 30, 2011 10:14 am
Code: Select all
WARNING: Failed running command (--auth-user-pass-verify): external program fork failed
TLS Auth Error: Auth Username/Password verification failed for peer
this suggests that the script cannot be executed. Try adding
restart the server and try again.
-
izghitu
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Aug 29, 2011 6:51 pm
Post
by izghitu » Tue Aug 30, 2011 7:39 pm
This is what I get:
Code: Select all
WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
TLS Auth Error: Auth Username/Password verification failed for peer
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
[] Peer Connection Initiated with IP:49270
PUSH: Received control message: 'PUSH_REQUEST'
Delayed exit in 5 seconds
SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
IP:49270 SIGTERM[soft,delayed-exit] received, client-instance exiting
And I finally got an email. The email says:
Code: Select all
Details: Cannot find KDC for requested realm (0x9a)
What's KDC? Please advise
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Tue Aug 30, 2011 8:56 pm
KDC = Kerberos Domain Controller
In AD speak this is pretty much the same as the Active Directory server; it seems the AD authentication fails due to a realm mismatch ; sorry but I can't help you there, as I'm clueless as to how AD works.
-
izghitu
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Aug 29, 2011 6:51 pm
Post
by izghitu » Wed Aug 31, 2011 4:53 am
Thanks for your help so far. One last question if you don't mind.
So the KDC is the IP or hostname of the AD server right? Then what's realm?
-
janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
-
Contact:
Post
by janjust » Wed Aug 31, 2011 7:46 am
this is getting off-topic for the openvpn forum... troubleshoot your connection to the AD server first, e.g. by reading up on
http://www.linuxmail.info/troubleshooti ... -centos-5/
it looks like you either use the wrong IP address of the AD server or you misspelled the Active Directory Realm, which is case-sensitive.