ldap(active directory) authentication problem

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
osmanerdemguven
OpenVpn Newbie
Posts: 1
Joined: Sat May 23, 2020 10:41 am

ldap(active directory) authentication problem

Post by osmanerdemguven » Sat May 23, 2020 12:13 pm

Hi to all.
We are having openvpn client authorization problem.
We have set up LDAP authorization. I am sure that the user and password defined in Active Directory are correct.
openvpn is binding to AD(active directory) successfully. However my user(user1) not able to authenticated.
I added the logs of the problem, server, ldap-plugin, and client definitions respectively. thank you very much for your help in advance.

LOGS:

Code: Select all

-----------------------------------------------------------------------------------------------------------------------------------------------------------------
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 TLS: Initial packet from [AF_INET]81.81.10.12:63438, sid=99840e06 2fc28386
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston_CA/name=EasyRSA/emailAddress=me@myhost.mydomain
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ovpnClient/name=EasyRSA/emailAddress=me@myhost.mydomain
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_GUI_VER=ovpnmi_1.0.0
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_VER=3.2__qa:d87f5bbc04)
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_PLAT=win
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_NCP=2
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_TCPNL=1
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_PROTO=2
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: UV_ASCLI_VER=2.7.1.104
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: UV_PLAT_REL=Windows_10_Enterprise_6.3.18363
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580)
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: Incorrect password supplied for LDAP DN "CN=user1,CN=Users,DC=izmir,DC=com,DC=tr".
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 TLS Auth Error: Auth Username/Password verification failed for peer
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 [ovpnClient] Peer Connection Initiated with [AF_INET]81.81.10.12:63438
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PUSH: Received control message: 'PUSH_REQUEST'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 Delayed exit in 5 seconds
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 SENT CONTROL [ovpnClient]: 'AUTH_FAILED' (status=1)
May 23 14:51:19 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 SIGTERM[soft,delayed-exit] received, client-instance exiting
Server config

-----------------------------------------------------------------------------------------------------------------------------------------------------------------
verb 3
status /opt/whynot/etc/openvpn/status/vtun0.status 30
writepid /var/run/openvpn/vtun0.pid
daemon openvpn-vtun0

dev-type tun
dev vtun0
user openvpn
group openvpn
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip

proto udp
persist-tun

mode server
tls-server
keepalive 10 30
management /tmp/openvpn-mgmt-intf unix

push "route 10.100.110.0 255.255.255.0"
server 192.168.168.0 255.255.255.0

ca /config/auth/ovpn/4ldaptest/ca.crt
cert /config/auth/ovpn/4ldaptest/ovpnServer.crt
key /config/auth/ovpn/4ldaptest/ovpnServer.key
dh /config/auth/ovpn/4ldaptest/dh2048.pem

compress lzo
cipher aes-256-cbc

compat-names

--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ovpn/auth-ldap-test.conf
--mssfix


LDAP PLUGIN CONF:

Code: Select all

-----------------------------------------------------------------------------------------------------------------------------------------------------------------
<LDAP>
  # LDAP server URL
  URL ldap://192.168.33.11
  # Bind DN (If your LDAP server doesn’t support anonymous binds)
  BindDN CN=user1,CN=users,DC=izmir,DC=com,DC=tr
  # Bind Password
  Password P1w2DkyW
  # Network timeout (in seconds)
  Timeout  15
  # Enable Start TLS
  TLSEnable no
  # Follow LDAP Referrals (anonymously)
  FollowReferrals yes
</LDAP>

<Authorization>
  BaseDN          "DC=izmir,DC=com,DC=tr"
  SearchFilter    "sAMAccountName=%u"
  RequireGroup    false
</Authorization>
Client config

-----------------------------------------------------------------------------------------------------------------------------------------------------------------
client
proto udp
dev tun
remote 81.99.81.33 1194
auth-user-pass
auth-retry interact
cert ovpnClient.crt
key ovpnClient.key
ca ca.crt
cipher AES-256-CBC
Last edited by Pippin on Sat May 23, 2020 12:24 pm, edited 1 time in total.
Reason: Formatting

Post Reply