LDAP + post-auth + Google Authenticator

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
jj
OpenVpn Newbie
Posts: 11
Joined: Tue Sep 26, 2017 11:04 pm

LDAP + post-auth + Google Authenticator

Post by jj » Tue Sep 26, 2017 11:17 pm

Hi,
So we are using LDAP as our authentication method and have a post-auth script to map users to access group. Now, we want to add google authenticator to our setup. But after enabling google authenticator, it looks like the post-auth script overrides google authenticator and the user is able to login using username + password. Is there a way to have both? Maybe we can add google authenticator call to the post-auth script?

Thank you.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP + post-auth + Google Authenticator

Post by novaflash » Wed Sep 27, 2017 8:22 am

? ldap + post_auth + google authenticator is being used by plenty of people, are you sure it's not just a matter of testing with the wrong account or having made a mistake in the post_auth script?
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jj
OpenVpn Newbie
Posts: 11
Joined: Tue Sep 26, 2017 11:04 pm

Re: LDAP + post-auth + Google Authenticator

Post by jj » Wed Sep 27, 2017 5:15 pm

Hi,
Here's what I did -
LDAP + post-auth have been working great for some time now. We recently decided to add MFA. I enabled the Google Authenticator from admin UI. Used a non-admin user to test the following. Went to client website server, logged in, scanned qr and clicked the 'I scanned the code' button, was redirected to https://openvpnserver:943/?src=connect& ... _auth=true to relogin using google authenticator. I add username and passwd and click on go, now instead of asking for google authenticator code it just takes me to download page for openvpn connect - 'Please click here to continue to download OpenVPN Connect. You will be automatically connected after the installation has finished.'

Next I tried downloading the user profile from the client web server. The profile has 'auth-user-pass' and 'static-challenge "Enter Google Authenticator code"' as expected. Now, if I enter username, passwd and code, server replies 'Google authenticator must be activated for the user'. If i don't enter the code, I can connect.

The server's confdba has this "vpn.server.google_auth.enable": "true" tho.

I am really confused here about why is the server not acknowledging GA.

Thank you.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP + post-auth + Google Authenticator

Post by novaflash » Thu Sep 28, 2017 7:20 am

So am I. I've tried to replicate this, but I can't. Perhaps something was done to the post-auth script that breaks authentication steps coming after it, like Google Authenticator. If you remove the post auth script, does google authenticator work then? If it does, can you try the script here for LDAP group mapping without adjusting it to your settings - does it work then for any of your already registered users?

Have you done anything to the __DEFAULT__ user account perhaps, or changed properties of users via the command line?

See these pages;
https://docs.openvpn.net/configuration/ ... th_scripts
https://docs.openvpn.net/command-line/m ... Properties
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jj
OpenVpn Newbie
Posts: 11
Joined: Tue Sep 26, 2017 11:04 pm

Re: LDAP + post-auth + Google Authenticator

Post by jj » Thu Sep 28, 2017 4:41 pm

Hi novaflash,
Thanks. I'll try the above things and get back to u. Also, Do I need to add 'prop_google_auth' = 'true' property to my groups in the userdb in addition to setting vpn.server.google_auth.enable to true?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP + post-auth + Google Authenticator

Post by novaflash » Thu Sep 28, 2017 4:58 pm

No, if it's enabled globally like via the Admin UI and then going to Client Settings and enabling it there, then by default it applies to all users. Except autologin profiles and the 'openvpn' user.

If there are other properties in the groups and users that say otherwise, then those properties take precedence.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jj
OpenVpn Newbie
Posts: 11
Joined: Tue Sep 26, 2017 11:04 pm

Re: LDAP + post-auth + Google Authenticator

Post by jj » Thu Sep 28, 2017 5:37 pm

Hi novaflash,
I noticed that the example ldap group mapping post-auth script is returning authret and proplist. We just update authret['proplist']['conn_group'] and return authret. Does this have any significance?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP + post-auth + Google Authenticator

Post by novaflash » Thu Sep 28, 2017 5:42 pm

That's a very good question. Unfortunately I don't know. But we do know the example group mapping post-auth script does work properly, so maybe adjust the code so you return information in the same way?

I mean, I can see how losing user property information in post_auth can cause Google Authenticator not to trigger. Using Google Authenticator is a user property, inherited in your case from a global setting.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jj
OpenVpn Newbie
Posts: 11
Joined: Tue Sep 26, 2017 11:04 pm

Re: LDAP + post-auth + Google Authenticator

Post by jj » Thu Sep 28, 2017 9:16 pm

I think I know what was the issue with my post-auth script. 1. I had GROUP_SELECT = True in my script. Don't know how is this relevant to GA, but on removing this, the "pvt_google_auth_secret_locked" becomes true after I click the 'I scanned the code' button on ui which was not happening before. 2. I had to return proplist['conn_group'] as a 2nd return parameter from post_auth function.

Any idea why having GROUP_SELECT = True was not allowing the secret to lock? documentation for post-auth says following -

when setting conn_group in the script, you should generally include: GROUP_SELECT = True - in the top-level, global part of your script. This tells the AS to do late user properties lookup, so that the user properties will be taken from the group chosen by the post-auth script. Additionally, any user properties returned by the script in authret['proplist'] will override those read from user properties DB.

Thank you.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP + post-auth + Google Authenticator

Post by novaflash » Fri Sep 29, 2017 6:45 am

I'm afraid I'm not that deep into the post_auth script programming, sorry. But my guess would be that somehow the property that gets set to enable google authenticator requirement, which gets inherited from a global setting in your case, was removed by one of the actions taken by your post_auth script.

I can see that in the post_auth script that OpenVPN Inc. provides, this is done this way and the issue therefore doesn't show.

If you want to dig deeper try printing out the properties list for the user here and there in the script to see what happens, and which properties survive or disappear. You can also use authcli command line script to see what properties are reported when you attempt authentication.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply