ldap and PAM authentication openvpn/active directory

[sofien]

Dear all,

am trying to configure openvpn with ldap or pam authentication with my active directory server (openvpn server and Activedirectory server are in the same network).
i tryied with ldap and i can't succes login so i decide to test PAM but i have same issue

Below all of my conf and log file:

log file when tryin to connect with openvpn GUI using vpn profile

Code: Select all

Thu Feb 04 13:49:49 2021 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Thu Feb 04 13:49:49 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Feb 04 13:49:49 2021 library versions: OpenSSL 1.1.0j  20 Nov 2018, LZO 2.10
Enter Management Password:
Thu Feb 04 13:49:49 2021 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25361
Thu Feb 04 13:49:49 2021 Need hold release from management interface, waiting...
Thu Feb 04 13:49:50 2021 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25361
Thu Feb 04 13:49:50 2021 MANAGEMENT: CMD 'state on'
Thu Feb 04 13:49:50 2021 MANAGEMENT: CMD 'log all on'
Thu Feb 04 13:49:50 2021 MANAGEMENT: CMD 'echo all on'
Thu Feb 04 13:49:50 2021 MANAGEMENT: CMD 'bytecount 5'
Thu Feb 04 13:49:50 2021 MANAGEMENT: CMD 'hold off'
Thu Feb 04 13:49:50 2021 MANAGEMENT: CMD 'hold release'
Thu Feb 04 13:49:51 2021 MANAGEMENT: CMD 'username "Auth" "soo"'
Thu Feb 04 13:49:51 2021 MANAGEMENT: CMD 'password [...]'
Thu Feb 04 13:49:51 2021 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Feb 04 13:49:51 2021 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Feb 04 13:49:51 2021 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Thu Feb 04 13:49:51 2021 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Feb 04 13:49:51 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Thu Feb 04 13:49:51 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Feb 04 13:49:51 2021 Attempting to establish TCP connection with [AF_INET]x.x.x.x:443 [nonblock]
Thu Feb 04 13:49:51 2021 MANAGEMENT: >STATE:1612442991,TCP_CONNECT,,,,,,
Thu Feb 04 13:49:52 2021 TCP connection established with [AF_INET]x.x.x.x:443
Thu Feb 04 13:49:52 2021 TCP_CLIENT link local: (not bound)
Thu Feb 04 13:49:52 2021 TCP_CLIENT link remote: [AF_INET]x.x.x.x:443
Thu Feb 04 13:49:52 2021 MANAGEMENT: >STATE:1612442992,WAIT,,,,,,
Thu Feb 04 13:49:52 2021 MANAGEMENT: >STATE:1612442992,AUTH,,,,,,
Thu Feb 04 13:49:52 2021 TLS: Initial packet from [AF_INET]x.x.x.x:443, sid=7e9e0c1d 2ff063b6
Thu Feb 04 13:49:53 2021 VERIFY OK: depth=1, CN=cn_ft8Ph0hTjechqqQz
Thu Feb 04 13:49:53 2021 VERIFY KU OK
Thu Feb 04 13:49:53 2021 Validating certificate extended key usage
Thu Feb 04 13:49:53 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 04 13:49:53 2021 VERIFY EKU OK
Thu Feb 04 13:49:53 2021 VERIFY X509NAME OK: CN=server_3cq71l9glJNwLXjJ
Thu Feb 04 13:49:53 2021 VERIFY OK: depth=0, CN=server_3cq71l9glJNwLXjJ
Thu Feb 04 13:49:53 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit EC, curve: prime256v1
Thu Feb 04 13:49:53 2021 [server_3cq71l9glJNwLXjJ] Peer Connection Initiated with [AF_INET]x.x.x.x:443
Thu Feb 04 13:49:54 2021 MANAGEMENT: >STATE:1612442994,GET_CONFIG,,,,,,
Thu Feb 04 13:49:54 2021 SENT CONTROL [server_3cq71l9glJNwLXjJ]: 'PUSH_REQUEST' (status=1)
Thu Feb 04 13:49:54 2021 AUTH: Received control message: AUTH_FAILED
Thu Feb 04 13:49:54 2021 SIGUSR1[soft,auth-failure] received, process restarting
Thu Feb 04 13:49:54 2021 MANAGEMENT: >STATE:1612442994,RECONNECTING,auth-failure,,,,,
Thu Feb 04 13:49:54 2021 Restart pause, 5 second(s)
Thu Feb 04 13:50:02 2021 MANAGEMENT: Client disconnected
Thu Feb 04 13:50:02 2021 ERROR: could not read Auth username/password/ok/string from management interface
Thu Feb 04 13:50:02 2021 Exiting due to fatal error

View OriginalServer config

proto tcp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_3cq71l9glJNwLXjJ.crt
key server_3cq71l9glJNwLXjJ.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
pull-filter ignore "auth token"
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
client-cert-not-required
script-security 2
#auth-user-pass-verify ldap-check-user.sh via-env

username-as-common-name
#plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
#plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so auth-ldap.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn

/etc/nslcd.conf

Code: Select all

uid nslcd
gid ldap
uri ldap://ActiveDirectory-IP/
base dc=mydomain,dc=local
binddn cn=testopenvpn,dc=OPENVPNAD,dc=local
bindpw password
scope sub
base   group  ou=Users,dc=mydomain,dc=local
base   passwd ou=Users,dc=mydomain,dc=local
base   shadow ou=Users,dc=mydomain,dc=local
bind_timelimit 30
timelimit 30
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(memberOf=cn=vpnusers,ou=Users,dc=mydomain,dc=local)
map    passwd uid              sAMAccountName
filter shadow (&(objectClass=user)(memberOf=cn=vpnusers,ou=Users,dc=mydomain,dc=local)
map    shadow uid              sAMAccountName
tls_reqcert never

/etc/pam.d/openvpn

Code: Select all

#auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
#auth      required    pam_deny.so
#password  sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
#password  required    pam_deny.so

auth required pam_ldap.so
account sufficient pam_permit.so
session required pam_permit.so

Code: Select all

<LDAP>
        #URL             ldap://mydomain.local
        URL              ldap://ActiveDirectory-ip:389
        BindDN          "CN=testopenvpn,CN=Users,DC=mydomain,DC=local"
        Password        password
        Timeout         15
        TLSEnable       no
        # Follow LDAP Referrals (anonymously)
        FollowReferrals no
        # TLS CA Certificate File
        TLSCACertFile   /etc/openvpn/openvpn-ca.crt
</LDAP>
<Authorization>
        BaseDN          "dc=mydomain,dc=local"
        SearchFilter   "(&(sAMAccountName=%u)(memberOf=CN=vpnusers,CN=Users,DC=mydomain,DC=local))"
        RequireGroup    false
</Authorization>

profile.ovpn

View OriginalClient config

client
proto tcp-client
remote x.x.x.x 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
remote-cert-tls server
verify-x509-name server_3cq71l9glJNwLXjJ name
auth SHA256
auth-nocache
pull-filter ignore "auth token"
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
#setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3

Any idea to solve this issue?
Thank you so much in advance.

[TinCanTech]

Thu Feb 04 13:50:02 2021 ERROR: could not read Auth username/password/ok/string from management interface
Thu Feb 04 13:50:02 2021 Exiting due to fatal error

Are you using the OpenVPN GUI for Windows ?

[sofien]

Yes am using OpenVPN GUI for windows.

[TinCanTech]

OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019

You need to upgrade to OpenVPN 2.5

[sofien]

You mean openvpn server?
How to do that in centos7?

[TinCanTech]

Thu Feb 04 13:49:49 2021 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Thu Feb 04 13:49:49 2021 Windows version 6.2 (Windows 8 or greater) 64bit

You need to upgrade to OpenVPN 2.5

You mean openvpn server?

Does that look like your server log ?

[sofien]

It is from my openVPN GUI log file.

[sofien]

OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019

You need to upgrade to OpenVPN 2.5

Hello TinCanTech,

I upgrade my openVPN GUI to 2.5 but same issue still exist.

Bellow more details
After typing user and password (from user and pass created in AD server)

https://ibb.co/wpDx2Qd


Let me know if you need more details.
Thank you in advance.

[TinCanTech]

AUTH: Recieved control message: AUTH_FAILED

Means your server rejected the user/pass.

[sofien]

So you mean that there's an issue with user or password?
Am sure that credential are correct.
How to know if i success read users from my active directory.

[TinCanTech]

See your server log ...

[sofien]

please find server log:

Code: Select all

Feb  8 09:28:27 localhost openvpn: TCP connection established with [AF_INET]x.x.x.x:1193
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 TLS: Initial packet from [AF_INET]x.x.x.x:1193, sid=84e2ca0a ccc61b32
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_VER=2.5.0
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_PLAT=win
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_PROTO=6
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_NCP=2
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_LZ4=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_LZ4v2=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_LZO=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_COMP_STUB=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_COMP_STUBv2=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_TCPNL=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 peer info: IV_GUI_VER=OpenVPN_GUI_11
Feb  8 09:28:27 localhost openvpn: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839)
Feb  8 09:28:27 localhost openvpn: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839)
Feb  8 09:28:27 localhost openvpn: Unable to bind as CN=soo,OU=Users,DC=openvpnad,DC=local
Feb  8 09:28:27 localhost openvpn: LDAP connect failed.
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 TLS Auth Error: Auth Username/Password verification failed for peer
Feb  8 09:28:27 localhost openvpn: Unable to bind as CN=vpnuser,OU=Users,DC=mydomain,DC=local
Feb  8 09:28:27 localhost openvpn: LDAP connect failed.
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES128-GCM-SHA256
Feb  8 09:28:27 localhost openvpn: 41.231.7.30:1193 Peer Connection Initiated with [AF_INET]x.x.x.x:1193
Feb  8 09:28:28 localhost openvpn: 41.231.7.30:1193 PUSH: Received control message: 'PUSH_REQUEST'
Feb  8 09:28:28 localhost openvpn: 41.231.7.30:1193 Delayed exit in 5 seconds
Feb  8 09:28:28 localhost openvpn: 41.231.7.30:1193 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Feb  8 09:28:28 localhost openvpn: 41.231.7.30:1193 Connection reset, restarting [0]
Feb  8 09:28:28 localhost openvpn: 41.231.7.30:1193 SIGUSR1[soft,connection-reset] received, client-instance restarting

[TinCanTech]

There is some help here:
https://github.com/OpenVPN/openvpn/tree ... s/auth-pam