OpenVPN LDAP Authentication

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
eisenmad
OpenVpn Newbie
Posts: 5
Joined: Sun Jan 07, 2018 8:38 am

OpenVPN LDAP Authentication

Post by eisenmad » Fri Jan 12, 2018 8:38 am

Hello,

I have some problems, probably very easy ones but I am total new to this kind of implementation.

I have to configure an OpenVPN Server on a Raspberry Pi that authenticates against LDAP. I have a little experience with an OpenVPN Server that don't use LDAP. I installed openvpn-auth-ldap and edited auth-ldap.conf.

Code: Select all

<LDAP>
        # LDAP server URL
        URL             ldap://ldap.jumpcloud.com:636

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        # BindDN                uid=Manager,ou=People,dc=example,dc=com

        # Bind Password
        # Password      SecretPassword

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        TLSEnable       yes

        # Follow LDAP Referrals (anonymously)
        FollowReferrals yes

        # TLS CA Certificate File
        TLSCACertFile   /usr/local/etc/ssl/ca.pem

        # TLS CA Certificate Directory
        TLSCACertDir    /etc/ssl/certs

        # Client Certificate and key
        # If TLS client authentication is required
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem

        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite        ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
        # Base DN
        BaseDN          "o=BaseDN_I_got_from_the_LDAP_admin,dc=jumpcloud,dc=com"

        # User Search Filter
        #SearchFilter   "(&(uid=%u)(accountStatus=active))"
        SearchFilter    "(&(uid=%u))"

        # Require Group Membership
        RequireGroup    false

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>
My OpenVPN server.conf is:

Code: Select all

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf login
client-cert-not-required
I copied my client.ovpn and the ca.crt from the OpenVPN Server to my Windows 10 machine and installed OpenVPN-Gui. Now a connection to the vpn server is working and I could login in the network. Now I have the following questions:

I could login but I didn't have to pass my LDAP user und password for login. The LDAP admin made a test account for me. How to validate this?

And is it normal that you could login without any user and password? All I did was copying the client.ovpn and ca.crt to the config folder of OpenVPN-Gui.

Do I have to change the ownership of the /etc/openvpn folder und subfolders? At the moment root owns it.

Thanks for help and greetings

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4165
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN LDAP Authentication

Post by TinCanTech » Fri Jan 12, 2018 11:45 am

Check your server log for information about your login.

eisenmad
OpenVpn Newbie
Posts: 5
Joined: Sun Jan 07, 2018 8:38 am

Re: OpenVPN LDAP Authentication

Post by eisenmad » Fri Jan 12, 2018 3:32 pm

Hi
I have no access to the LDAP server.
Greetings

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4165
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN LDAP Authentication

Post by TinCanTech » Fri Jan 12, 2018 4:12 pm

Contact your network administrator.

eisenmad
OpenVpn Newbie
Posts: 5
Joined: Sun Jan 07, 2018 8:38 am

Re: OpenVPN LDAP Authentication

Post by eisenmad » Fri Jan 12, 2018 4:45 pm

Okay, I wil ask him. If it works, I see the OpenVPN Raspberry Pi in the log? But with what Credentials? I got a test user and password and I didn't write them anywhere. Shouldn't be there some kind of login? A login window at the OpenVPN-Gui client?

Thanks and greetings

eisenmad
OpenVpn Newbie
Posts: 5
Joined: Sun Jan 07, 2018 8:38 am

Re: OpenVPN LDAP Authentication

Post by eisenmad » Mon Jan 15, 2018 6:51 am

eisenmad wrote:
Fri Jan 12, 2018 4:45 pm
I got a test user and password and I didn't write them anywhere. Shouldn't be there some kind of login? A login window at the OpenVPN-Gui client?
Has someone an answer to this question please?

Greetings

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4165
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN LDAP Authentication

Post by TinCanTech » Mon Jan 15, 2018 11:36 am

Check your openvpn server log for information.

Also post your client config.

eisenmad
OpenVpn Newbie
Posts: 5
Joined: Sun Jan 07, 2018 8:38 am

Re: OpenVPN LDAP Authentication

Post by eisenmad » Sun Feb 04, 2018 10:35 am

Hi

I wrote to the admin. Still waiting on an answer :(

For using OpenVPN-Gui I have a ca.crt and this client.ovpn

cli

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote RaspberryPiAddress 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIJANzXvIiNbvXMMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
BAMMCENoYW5nZU1lMB4XDTE4MDEwNzExMzM0MVoXDTI4MDEwNTExMzM0MVowEzER
MA8GA1UEAwwIQ2hhbmdlTWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDW8XWHhjXOzCf8MKOd+4IOkaeIhbTck/1sC/J+aJcC30D1VI0CUsdYeeTKGJv3
p7rS7rI73gNbz8BIIlFk4aQSBA2+CR74M0kuf3eOFv+mJZo+ZC/sl+AoprqwY7h7
EAgqhkNXxkSxDF40u0KFk+8Jig5aHCxoTn+tz+7bNhIlkZHxa0IR6I8Ip9ow5M6z
VbErR+3JvTGXMqFwpHXbBD9hOa+vIEck9n5KOVBdPfhkYcJZu7jWFYf0gpOfeDnO
nYd2yxuLxABn4eRgR8XjfPNDqg+kwZB6woABwTJOerPjGif4+zEQRrpuDf3u0OpR
Q7nXkanNeTid+SS/ZwLA3b93AgMBAAGjgYEwfzAdBgNVHQ4EFgQUqYM+FNINbpMR
7pyKvZwc7u1nWR0wQwYDVR0jBDwwOoAUqYM+FNINbpMR7pyKvZwc7u1nWR2hF6QV
MBMxETAPBgNVBAMMCENoYW5nZU1lggkA3Ne8iI1u9cwwDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAHoPHPNQjwQjxHC7jWF81nWF
mkvORdrN47eWb0ofZ2D/9aF68Lp2zrn+uNcl8OZsxUXjwJsKUpqy8R6FBBa48jBD
uFyVTBh0PtKmpZf4BhtrK61poFijD/orDdno3l1RnTjicn3LyPVYQvRRFdkiRD5e
rkV6H6/nJb4jCfJzN+k0hkwMGcoMxV09SxxYwALzO1PwmEFv4ugjwWarUn6BVkz/
rXJOkrjAZaF4avDfVjRAIoVrLKBfskN9eZu1+e0xsUJBbx7xBzKQfhm+JjHo8c97
UgKF5R4x6/5e6unL8J174YnwUa5n6jV3CGqxWwgaobfjbqPu5+xHnLXWfMJOrhE=
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ChangeMe
Validity
Not Before: Jan 7 12:45:39 2018 GMT
Not After : Jan 5 12:45:39 2028 GMT
Subject: CN=client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:6e:96:a0:3d:0f:3d:72:c3:bf:a1:08:92:2e:
af:54:72:1f:92:bf:ea:25:3b:84:28:f1:cc:cd:d4:
a0:bd:5b:49:f4:75:87:f2:5a:b9:65:a8:35:e7:a9:
18:3e:b8:91:89:68:5d:61:8d:c9:2a:f1:ba:f3:25:
1d:e9:e5:93:54:d7:9a:4f:65:86:8e:6d:49:1f:dd:
34:2c:6e:09:cc:5a:ac:d8:10:17:d7:ae:b9:43:7a:
65:4e:05:ed:cb:93:f2:c7:41:54:8c:e4:79:28:e3:
8d:6f:7d:80:c3:0d:1a:02:8b:98:c1:21:c4:34:a6:
da:9d:07:f0:a6:49:4f:e2:51:cc:1f:df:2b:5d:5f:
93:94:fa:cc:46:61:c8:92:28:6d:24:df:0e:fc:b5:
79:5f:30:ee:54:3f:a5:5e:9c:24:a4:ff:f4:02:57:
75:2d:77:e1:8c:c9:3f:3d:53:c9:ce:9d:e8:2e:90:
03:b9:1d:a2:00:76:87:d1:c0:bd:49:5a:e3:97:9c:
86:17:95:8b:1f:83:ac:bc:cb:d7:3f:0b:89:f0:0c:
22:f5:4e:7a:cf:d0:42:7a:44:9f:54:4f:5b:f7:35:
51:60:08:47:e7:82:eb:9d:e0:65:62:9c:5c:86:27:
d5:b6:c1:8e:d0:9f:86:86:23:c3:e7:65:76:18:2c:
94:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
52:83:38:A6:1B:14:76:EF:3B:43:3F:37:84:D8:22:12:4C:6D:87:C5
X509v3 Authority Key Identifier:
keyid:A9:83:3E:14:D2:0D:6E:93:11:EE:9C:8A:BD:9C:1C:EE:ED:67:59:1D
DirName:/CN=ChangeMe
serial:DC:D7:BC:88:8D:6E:F5:CC

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
89:bf:80:88:52:dc:28:b5:18:bc:dd:33:9b:a5:98:9d:8f:bd:
1d:cd:b3:45:81:21:73:46:53:d7:46:0e:d9:42:98:de:70:22:
e8:d8:23:1d:53:74:8b:ac:a0:48:7c:7a:00:f8:5f:56:55:ce:
8f:af:36:9b:51:5a:18:b3:5b:d8:c9:7c:31:df:0f:82:e7:7d:
16:08:d6:7c:6b:a9:84:4c:3c:81:14:6f:58:c0:8e:a9:4d:83:
e3:8e:98:95:d1:ad:e4:41:06:eb:f7:e7:c9:e4:55:eb:d4:89:
11:f3:1b:01:d2:91:00:a9:e7:57:e5:eb:6a:75:52:6d:e5:9e:
fe:52:d5:f5:25:3f:7d:e0:4e:97:f2:ea:13:d5:63:21:f5:cd:
6b:4f:cb:4e:7e:d8:4a:46:6f:57:ae:45:e9:8f:4e:76:2f:46:
d2:1e:f3:2c:c8:44:43:d3:9a:8a:97:ec:00:92:c9:bf:5f:e0:
67:73:a6:9c:09:a0:ad:c9:2e:d4:bb:d6:31:16:7b:79:5c:0c:
50:e9:f1:07:ac:e4:5c:a9:10:78:b1:6f:7a:a7:e5:d2:33:85:
96:83:69:d2:fb:2f:4a:0a:92:c9:e4:12:95:91:c2:1e:e5:85:
52:22:e8:c1:f8:65:ba:76:9e:48:31:92:1c:5a:3a:45:70:11:
61:b6:ca:82
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhDaGFu
Z2VNZTAeFw0xODAxMDcxMjQ1MzlaFw0yODAxMDUxMjQ1MzlaMBkxFzAVBgNVBAMM
DmNsaWVudEZ1bmRGbG93MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
r26WoD0PPXLDv6EIki6vVHIfkr/qJTuEKPHMzdSgvVtJ9HWH8lq5Zag156kYPriR
iWhdYY3JKvG68yUd6eWTVNeaT2WGjm1JH900LG4JzFqs2BAX1665Q3plTgXty5Py
x0FUjOR5KOONb32Aww0aAouYwSHENKbanQfwpklP4lHMH98rXV+TlPrMRmHIkiht
JN8O/LV5XzDuVD+lXpwkpP/0Ald1LXfhjMk/PVPJzp3oLpADuR2iAHaH0cC9SVrj
l5yGF5WLH4OsvMvXPwuJ8Awi9U56z9BCekSfVE9b9zVRYAhH54LrneBlYpxchifV
tsGO0J+GhiPD52V2GCyUywIDAQABo4GUMIGRMAkGA1UdEwQCMAAwHQYDVR0OBBYE
FFKDOKYbFHbvO0M/N4TYIhJMbYfFMEMGA1UdIwQ8MDqAFKmDPhTSDW6TEe6cir2c
HO7tZ1kdoRekFTATMREwDwYDVQQDDAhDaGFuZ2VNZYIJANzXvIiNbvXMMBMGA1Ud
JQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEA
ib+AiFLcKLUYvN0zm6WYnY+9Hc2zRYEhc0ZT10YO2UKY3nAi6NgjHVN0i6ygSHx6
APhfVlXOj682m1FaGLNb2Ml8Md8Pgud9FgjWfGuphEw8gRRvWMCOqU2D446YldGt
5EEG6/fnyeRV69SJEfMbAdKRAKnnV+XranVSbeWe/lLV9SU/feBOl/LqE9VjIfXN
a0/LTn7YSkZvV65F6Y9Odi9G0h7zLMhEQ9OaipfsAJLJv1/gZ3OmnAmgrcku1LvW
MRZ7eVwMUOnxB6zkXKkQeLFveqfl0jOFloNp0vsvSgqSyeQSlZHCHuWFUiLowfhl
unaeSDGSHFo6RXARYbbKgg==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvbpagPQ89csO/
oQiSLq9Uch+Sv+olO4Qo8czN1KC9W0n0dYfyWrllqDXnqRg+uJGJaF1hjckq8brz
JR3p5ZNU15pPZYaObUkf3TQsbgnMWqzYEBfXrrlDemVOBe3Lk/LHQVSM5Hko441v
fYDDDRoCi5jBIcQ0ptqdB/CmSU/iUcwf3ytdX5OU+sxGYciSKG0k3w78tXlfMO5U
P6VenCSk//QCV3Utd+GMyT89U8nOnegukAO5HaIAdofRwL1JWuOXnIYXlYsfg6y8
y9c/C4nwDCL1TnrP0EJ6RJ9UT1v3NVFgCEfnguud4GVinFyGJ9W2wY7Qn4aGI8Pn
ZXYYLJTLAgMBAAECggEAeDIG1YbAOFO3NkY4vx9pVSxT4ZHH9PaQGBWDQssZzmML
iog0OqJaQAI93JkIWYDPhhuRT1N7rwasFgcqNaTriselnBxtUowh+8jtBDvoTrEZ
l3d/PnEh0c+8NPbu8/pL7qUeLuIi+RbfQrH0VK9XUMMgR8LA0Wo4gjp8cRHtv5sz
97y8CsUVCCYBL4d75Pt6uzCrPIbH6b3EZvg25PtYnewB1kaSE7btlQ6ooa0ShUJc
uwtFYjLZmuYNPtVl6RrbkMOtuqqwXXzX5sgc62TDOP/fxucwbXAFWyhFho+yWNnY
WD0LAnBM76VzEP78IvEply1DYLDPlGaqMOBp9X3ZIQKBgQDnudzqBRcytmMsYfoB
BfYpfYMuweAdeQqmwFZfNRRZsScbv6mRl07wkiuebZG4yezwQ5ntyg1P7v0xu7OY
uc9XlAeDc5BWCFRKaFReeP0nTmCgkRlbW7zosvgNeRF1d49ACG/p3GEOEyQsHxhL
Pk+Ohx1KMFDyF3qPeJa+6R0omQKBgQDBzxpIJMVOeFbTzK8j6uMe0cqarbEbiiqf
iIck3Br38471DOnjNWoZj5nSTAaA+om1lLBpzZWYbH3W6GRBJ9WAHKBjJoJp30tE
V91VPvW6tOZgaD/7YiXryD9lVfvir+FyGq+ZSHKzupb9d0Wkpf0g1lH1+4+be8ud
URDnJ7fTAwKBgQCy9Sp0HOxWgN7EZwJBig4a6tDF6nqfqFwefcn2izKlNhgi6PkW
9EjFp81B9BKnKGLxBvQ43WM8iTBHGVPRLia/1xWaYkRk/NfEAyCtOTkhAvnC52wy
zv1spNLG7Oob0vLxm9J6RHU7/nJgFL+ZVIzyYMyw//FzlchURuf8lmGreQKBgAW/
tu/c511khG7T634NQZ9waaoc7Nv8RTdmPVwCi2o/d0Ydk/KBaxxG/jEWwDqjM+KG
/pSk3IMg9LqjOhYUsGiUcM2AHu41CW6FjLMyoude5laFwSAb0TQlRHwlCMu4m99e
m0bYt05Ngp0SJKa1pcSLlvLM+32JNoj8FpxEuVcxAoGBAJWaYgcAR1liIRsFSVgU
ssfh7GnQgdFXy5V0vVWmbdt0gPMet2X+nne5+ccysPR6RZAhtTh1sC7gHs1FPska
ZMuiFdfeJ+doL5Rl9j5JEtdqD9vphyseHjFoFmmOpi93mqMO1K9OYncLj5UHkGKV
KiopDoQQdXAa26ovqzKZ/m8P
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
a60b45f2d254ddefccfd456555535cd9
8ba1df866f23cd736cb3f7d8d50a773f
f26f32307cdfcd11fb358e826f6e4584
c0d95063b8e40052257b4ff5231fab15
06508578c9d02518ab82c08ae3890338
394753fa667d12d2612d77a5c64d2f8c
384049342775c18ec626eee3f2a15d92
4c59d01b71819c51957b0c1d2198336f
ee0624ed83c8bd3909eeaf022806a98a
c74d517e6467ad554d8c28579981b814
102b8a06a6ce7a3471dd7ed951e08706
56e16f54c289f8eb0a2f4fb04b0d8cbc
f1feffd332ea01bdccdce98d00155dc5
d6bb74256384dfaf9dacbfe3c36a8018
a852583d352ac9d4bca554b2269ac8a6
51d7982c5ada60b219366f449f5f69c7
-----END OpenVPN Static key V1-----
</tls-auth>



Is this client.ovpn okay?

Thanks and greetings

Post Reply