Hi everyone,
I am attempting to set up ad authentication with openvpn version 2.4.0-6+deb9u1 on Debian 9. I'm honestly new to both linux and openvpn so you can imagine the haze of Google searches I have stumbled through. While getting more familiar with linux has been awesome I am getting frustrated by failure over something that is probably really easy that I'm overlooking. I must have gone through 5 guides so far trying to get this to work, but they all end up the same way. When I connect my client to the vpn I receive the authentication prompt, but it doesn't matter what I type in, it will let me connect no matter what. I have installed the openvpn-auth-ldap plugin version 2.0.3-6.1.
Here are my configs:
[auth-ldap.conf]
<LDAP>
# LDAP server URL
URL Name.MYDOMAIN.COM:389
BindDN "CN=username,CN=Users,DC=mydomain,DC=com"
Password "password"
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "OU=OUName,DC=mydomain,DC=com"
SearchFilter "(sAMAccountName=%u)"
RequireGroup false
</Authorization>
--------------------------------------------------------------------------------------------------------
[Server.conf]
local 192.168.80.241
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.80.30"
push "dhcp-option DNS 192.168.80.31"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
cipher AES-128-CBC
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 3
#PLUGIN SECTION
#LDAP (Active Directory Authentication) PLUGIN
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/auth-ldap.conf"
---------------------------------------------------------------------------------------------------------------
[client.ovpn]
client
proto udp
remote 192.168.80.241 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 4
#AD/PASSWORD AUTHENTICATION
auth-user-pass
auth-nocache
<ca>
-----BEGIN CERTIFICATE-----
-----------------------------------------------------------------------------
I'm still trying to familiarize myself with the various log file locations, but looking at the daemon log I noticed a line relating to the plugin:
PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn/auth/auth-ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
The openvpn.log doesn't show anything related to the ad authentication.
AD Authentication Issue
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.