Struggling to get OpenLDAP to work with chrooted OpenVPN
Posted: Fri Jan 04, 2019 11:22 am
Hello All,
As part of my efforts to harden my OpenVPN server I have followed the advice outlined here https://community.openvpn.net/openvpn/w ... indowsonly in order to isolate the OpenVPN daemon.
The LDAP server currently authenticates connections via an OLDAP server, which has worked without issue on an un-chrooted server, but now I am getting the following error when attempting to connect:
The LDAP server and the OVPN server both reside in separate VPCs but they have peering set up. I can also telnet into the LDAP server from the OVPN box and when I revert it back to a standard setup (remove chroot directive from server.conf) it works without issue.
My server.conf looks like so:
and finally, my LDAP.conf looks like this:
I imagine if it's anything it could be permissions related. I have tried moving the ldap.conf into /etc/openvpn/jail but still no luck. When reverting it all back to non-chroot it was able to connect to OLDAP without any issue.
Has anyone managed to successfully chroot OpenVPN that authenticates against a remote LDAP server? Perhaps someone could advise me on the best steps to check past what I have mentioned already.
As part of my efforts to harden my OpenVPN server I have followed the advice outlined here https://community.openvpn.net/openvpn/w ... indowsonly in order to isolate the OpenVPN daemon.
The LDAP server currently authenticates connections via an OLDAP server, which has worked without issue on an un-chrooted server, but now I am getting the following error when attempting to connect:
Code: Select all
Jan 03 16:01:26 openvpn[593]: Unable to enable STARTTLS: Can't contact LDAP server
Jan 03 16:01:26 openvpn[593]: Unable to enable STARTTLS: Can't contact LDAP server
Jan 03 16:01:26 openvpn[593]: LDAP connect failed.
Jan 03 16:01:26 openvpn[593]: Thu Jan 3 16:01:26 2019 us=842953 1.1.1.1:8731 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Jan 03 16:01:26 openvpn[593]: Thu Jan 3 16:01:26 2019 us=842975 1.1.1.1:8731 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Jan 03 16:01:26 openvpn[593]: Thu Jan 3 16:01:26 2019 us=843018 1.1.1.1:8731 TLS Auth Error: Auth Username/Password verification failed for peer
Jan 03 16:01:26 openvpn[593]: Thu Jan 3 16:01:26 2019 us=843092 1.1.1.1:8731 UDPv4 WRITE [307] to [AF_INET]1.1.1.1:8731: P_CONTROL_V1 kid=0 pid=[ #6 ] [ 3 ] pid=5 DATA len=253
Jan 03 16:01:26 openvpn[593]: LDAP connect failed.
My server.conf looks like so:
Code: Select all
# https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-version-min
tls-version-min 1.2
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
cipher AES-256-CBC
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user openvpn
group openvpn
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 7
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
chroot /etc/openvpn/jail
client-cert-not-required
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
Code: Select all
<LDAP>
# LDAP server URL
URL ldap://ldap.foo.com
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
#TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=users,dc=acmecorp,dc=com"
# User Search Filter
SearchFilter "(uid=%u)"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=groups,dc=acmecorp,dc=com"
SearchFilter "(|(cn=developers)(cn=testers))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
Has anyone managed to successfully chroot OpenVPN that authenticates against a remote LDAP server? Perhaps someone could advise me on the best steps to check past what I have mentioned already.