Struggling to get OpenLDAP to work with chrooted OpenVPN

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
maxwellian
OpenVpn Newbie
Posts: 3
Joined: Fri Jan 04, 2019 9:40 am

Struggling to get OpenLDAP to work with chrooted OpenVPN

Post by maxwellian » Fri Jan 04, 2019 11:22 am

Hello All,

As part of my efforts to harden my OpenVPN server I have followed the advice outlined here https://community.openvpn.net/openvpn/w ... indowsonly in order to isolate the OpenVPN daemon.

The LDAP server currently authenticates connections via an OLDAP server, which has worked without issue on an un-chrooted server, but now I am getting the following error when attempting to connect:

Code: Select all

Jan 03 16:01:26  openvpn[593]: Unable to enable STARTTLS: Can't contact LDAP server
Jan 03 16:01:26  openvpn[593]: Unable to enable STARTTLS: Can't contact LDAP server
Jan 03 16:01:26  openvpn[593]: LDAP connect failed.
Jan 03 16:01:26  openvpn[593]: Thu Jan  3 16:01:26 2019 us=842953 1.1.1.1:8731 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Jan 03 16:01:26  openvpn[593]: Thu Jan  3 16:01:26 2019 us=842975 1.1.1.1:8731 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Jan 03 16:01:26  openvpn[593]: Thu Jan  3 16:01:26 2019 us=843018 1.1.1.1:8731 TLS Auth Error: Auth Username/Password verification failed for peer
Jan 03 16:01:26  openvpn[593]: Thu Jan  3 16:01:26 2019 us=843092 1.1.1.1:8731 UDPv4 WRITE [307] to [AF_INET]1.1.1.1:8731: P_CONTROL_V1 kid=0 pid=[ #6 ] [ 3 ] pid=5 DATA len=253
Jan 03 16:01:26  openvpn[593]: LDAP connect failed.
The LDAP server and the OVPN server both reside in separate VPCs but they have peering set up. I can also telnet into the LDAP server from the OVPN box and when I revert it back to a standard setup (remove chroot directive from server.conf) it works without issue.

My server.conf looks like so:

Code: Select all

# https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-version-min
tls-version-min 1.2

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
cipher AES-256-CBC

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user openvpn
group openvpn

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 7

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

chroot /etc/openvpn/jail

client-cert-not-required
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
and finally, my LDAP.conf looks like this:

Code: Select all

<LDAP>
	# LDAP server URL
	URL		ldap://ldap.foo.com

	# Bind DN (If your LDAP server doesn't support anonymous binds)
	# BindDN		uid=Manager,ou=People,dc=example,dc=com

	# Bind Password
	# Password	SecretPassword

	# Network timeout (in seconds)
	Timeout		15

	# Enable Start TLS
	TLSEnable	yes

	# Follow LDAP Referrals (anonymously)
	FollowReferrals yes

	# TLS CA Certificate File
	#TLSCACertFile	/usr/local/etc/ssl/ca.pem

	# TLS CA Certificate Directory
	#TLSCACertDir	/etc/ssl/certs

	# Client Certificate and key
	# If TLS client authentication is required
	#TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	#TLSKeyFile	/usr/local/etc/ssl/client-key.pem

	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
	# Base DN
	BaseDN		"ou=users,dc=acmecorp,dc=com"

	# User Search Filter
	SearchFilter	"(uid=%u)"

	# Require Group Membership
	RequireGroup	false

	# Add non-group members to a PF table (disabled)
	#PFTable	ips_vpn_users

	<Group>
		BaseDN		"ou=groups,dc=acmecorp,dc=com"
		SearchFilter	"(|(cn=developers)(cn=testers))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_vpn_eng
	</Group>
</Authorization>
I imagine if it's anything it could be permissions related. I have tried moving the ldap.conf into /etc/openvpn/jail but still no luck. When reverting it all back to non-chroot it was able to connect to OLDAP without any issue.

Has anyone managed to successfully chroot OpenVPN that authenticates against a remote LDAP server? Perhaps someone could advise me on the best steps to check past what I have mentioned already.

maxwellian
OpenVpn Newbie
Posts: 3
Joined: Fri Jan 04, 2019 9:40 am

Re: Struggling to get OpenLDAP to work with chrooted OpenVPN

Post by maxwellian » Fri Jan 04, 2019 2:29 pm

I forgot to mention, I am running OpenVPN on a Centos7 server

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5441
Joined: Fri Jun 03, 2016 1:17 pm

Re: Struggling to get OpenLDAP to work with chrooted OpenVPN

Post by TinCanTech » Fri Jan 04, 2019 5:58 pm

You need to learn how to use chroot because all OpenVPN does is change root, the rest is up to you.

maxwellian
OpenVpn Newbie
Posts: 3
Joined: Fri Jan 04, 2019 9:40 am

Re: Struggling to get OpenLDAP to work with chrooted OpenVPN

Post by maxwellian » Mon Jan 07, 2019 10:21 am

Fair enough, but have you managed to get a chrooted openVPN working with OLDAP authentication?

Post Reply