We are having openvpn client authorization problem.
We have set up LDAP authorization. I am sure that the user and password defined in Active Directory are correct.
openvpn is binding to AD(active directory) successfully. However my user(user1) not able to authenticated.
I added the logs of the problem, server, ldap-plugin, and client definitions respectively. thank you very much for your help in advance.
LOGS:
Code: Select all
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 TLS: Initial packet from [AF_INET]81.81.10.12:63438, sid=99840e06 2fc28386
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston_CA/name=EasyRSA/emailAddress=me@myhost.mydomain
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ovpnClient/name=EasyRSA/emailAddress=me@myhost.mydomain
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_GUI_VER=ovpnmi_1.0.0
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_VER=3.2__qa:d87f5bbc04)
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_PLAT=win
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_NCP=2
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_TCPNL=1
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_PROTO=2
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: UV_ASCLI_VER=2.7.1.104
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: UV_PLAT_REL=Windows_10_Enterprise_6.3.18363
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580)
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: Incorrect password supplied for LDAP DN "CN=user1,CN=Users,DC=izmir,DC=com,DC=tr".
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 TLS Auth Error: Auth Username/Password verification failed for peer
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 [ovpnClient] Peer Connection Initiated with [AF_INET]81.81.10.12:63438
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PUSH: Received control message: 'PUSH_REQUEST'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 Delayed exit in 5 seconds
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 SENT CONTROL [ovpnClient]: 'AUTH_FAILED' (status=1)
May 23 14:51:19 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 SIGTERM[soft,delayed-exit] received, client-instance exiting
Server config
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
verb 3
status /opt/whynot/etc/openvpn/status/vtun0.status 30
writepid /var/run/openvpn/vtun0.pid
daemon openvpn-vtun0
dev-type tun
dev vtun0
user openvpn
group openvpn
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip
proto udp
persist-tun
mode server
tls-server
keepalive 10 30
management /tmp/openvpn-mgmt-intf unix
push "route 10.100.110.0 255.255.255.0"
server 192.168.168.0 255.255.255.0
ca /config/auth/ovpn/4ldaptest/ca.crt
cert /config/auth/ovpn/4ldaptest/ovpnServer.crt
key /config/auth/ovpn/4ldaptest/ovpnServer.key
dh /config/auth/ovpn/4ldaptest/dh2048.pem
compress lzo
cipher aes-256-cbc
compat-names
--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ovpn/auth-ldap-test.conf
--mssfix
LDAP PLUGIN CONF:
Code: Select all
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
<LDAP>
# LDAP server URL
URL ldap://192.168.33.11
# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN CN=user1,CN=users,DC=izmir,DC=com,DC=tr
# Bind Password
Password P1w2DkyW
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "DC=izmir,DC=com,DC=tr"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>
Client config
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
client
proto udp
dev tun
remote 81.99.81.33 1194
auth-user-pass
auth-retry interact
cert ovpnClient.crt
key ovpnClient.key
ca ca.crt
cipher AES-256-CBC