LDAP server letting anything in

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Altheus
OpenVpn Newbie
Posts: 6
Joined: Thu Jul 15, 2021 12:22 pm

LDAP server letting anything in

Post by Altheus » Mon Jul 19, 2021 1:46 pm

Hi, I am trying to build openvpn with LDAP and google authenticator, both of which will need a correct authentication to let people in.

I'm trying to work through this, step by step and I'm getting problems with the LDAP configuration.

Somehow, this server will let me on irrespective of what I type as the password in the client.

Code: Select all

<LDAP>
        URL             "ldaps://ldaps.########.###"
        BindDN          "openvpnldap@#######.###"
         Password       "##############"
        Timeout         60
        TLSEnable       no
        FollowReferrals yes
        TLSCACertDir    /etc/ssl/certs
</LDAP>
<Authorization>
        PasswordIsCR true
        BaseDN          "OU=AADDC Users,DC=olmgroup,DC=com"
        SearchFilter    "(mail=%u)"
        RequireGroup    false
</Authorization>
My server.conf file looks like this:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
cipher AES-256-CBC
auth SHA512
server 10.8.0.0 255.255.255.0
push "route 10.160.0.0 255.255.0.0"
#push "route 10.160.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
status-version 2
verb 4
reneg-sec 36000
tls-server
tmp-dir "/etc/openvpn/tmp/"
plugin /usr/lib/openvpn/openvpn-auth-ldap.so ldap.config
plugin /usr/lib/openvpn/openvpn-otp.so "debug=1 password_is_cr=1 otp_secrets=/etc/openvpn/auth/otp-secrets"
log-append /var/log/openvpn/openvpn.log
#duplicate-cn
ifconfig-pool-persist "/etc/openvpn/ipp.txt"
management localhost 5555
username-as-common-name
I'm sure I'm missing something silly, but none of the documentation I can find will tell me what I should be doing in this situation.

Altheus
OpenVpn Newbie
Posts: 6
Joined: Thu Jul 15, 2021 12:22 pm

Re: LDAP server letting anything in

Post by Altheus » Tue Jul 20, 2021 8:10 am

I've found something important while going through the logs:

Auth-LDAP Configuration Error: PasswordIsCR key is unknown

So, it looks like that line from ldap.conf is where the problem is. With that commented out the server will let anything in, but the server doesn't know what it does.

I'd guess this has been superseded by something else in the current version of the openvpn-ldap-auth package but can anyone tell me how to require a password for ldap authentication?

Altheus
OpenVpn Newbie
Posts: 6
Joined: Thu Jul 15, 2021 12:22 pm

Re: LDAP server letting anything in

Post by Altheus » Tue Jul 20, 2021 11:20 am

The answer to this one was

verify-client-cert none

added to the server.conf file, I was trying to use a depreciated bit of config.

Also, PasswordIsCR true is obsolete and shouldn't be used anymore.

Post Reply