openvpn + openldap + google-otp trouble

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
url-eason
OpenVpn Newbie
Posts: 1
Joined: Wed Apr 11, 2018 3:52 am

openvpn + openldap + google-otp trouble

Post by url-eason » Wed Apr 11, 2018 3:57 am

Hello Guys

Below is my openvpn server with client configuration,
When I set openvpn + openldap or openvpn + google-otp,openvpn could be connected.
But now I want to configuration for connect openvpn + openldap + google-otp,
The log shows "LDAP bind failed: Invalid credentials","OTP-AUTH: authentication failed for username",
"TLS Auth Error: Auth Username/Password verification failed for peer"
Do anyone got the same trouble ?
Or my configration somewhere is wrong ?
Please give me some help .
Thanks.





########server.conf

local 172.16.1.2
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn.log
verb 3
##openvpn with ldap auth
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
username-as-common-name
##openvpn with otp auth
plugin /usr/lib64/openvpn/plugins/openvpn-otp.so "password_is_cr=0 otp_secrets=/root/.user.google_authenticator"
reneg-sec 0

##########################ldap.conf
<LDAP>
URL ldap://172.16.1.3
BindDN cn=Manager,dc=mail,dc=xyz,dc=com,dc=tw
Password myp@ssw0rd
Timeout 15
TLSEnable no
FollowReferrals yes
</LDAP>


<Authorization>
BaseDN "dc=mail,dc=xyz,dc=com,dc=tw"
SearchFilter "(uid=%u)"
RequireGroup false
</Authorization>



############clinet.conf
client
dev tun
proto udp
remote 172.16.1.2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca xxxx-ca.crt
dh xxxx-dh1024.pem
auth-nocache
ns-cert-type server
comp-lzo
verb 3

###ldap use
auth-user-pass
auth-nocache

# use Google Authenticator OTP
static-challenge "Enter Google Authenticator Token" 0
reneg-sec 0


##############openvpn.log
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 TLS: Initial packet from [AF_INET]172.16.1.11:56709, sid=e87d641b 28440b75
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_VER=2.4.4
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_PLAT=win
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_PROTO=2
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_NCP=2
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_LZ4=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_LZ4v2=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_LZO=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_COMP_STUB=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_COMP_STUBv2=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_TCPNL=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 peer info: IV_GUI_VER=OpenVPN_GUI_11
LDAP bind failed: Invalid credentials
Incorrect password supplied for LDAP DN "cn=user@mydomain.com.tw,dc=mail,dc=xyz,dc=com,dc=tw".
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
OTP-AUTH: authentication failed for username 'user@mydomain.com.tw', remote 172.16.1.11:56709
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Mon Apr 9 18:05:08 2018 172.16.1.11:56709 Peer Connection Initiated with [AF_INET]172.16.1.11:56709
Mon Apr 9 18:05:09 2018 172.16.1.11:56709 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 9 18:05:09 2018 172.16.1.11:56709 Delayed exit in 5 seconds
Mon Apr 9 18:05:09 2018 172.16.1.11:56709 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Apr 9 18:05:15 2018 172.16.1.11:56709 SIGTERM[soft,delayed-exit] received, client-instance exiting

apant
OpenVpn Newbie
Posts: 1
Joined: Sun Jul 26, 2020 4:01 pm

Re: openvpn + openldap + google-otp trouble

Post by apant » Sun Jul 26, 2020 4:04 pm

I have exactly the same problem. Did you find a solution ?

Altheus
OpenVpn Newbie
Posts: 6
Joined: Thu Jul 15, 2021 12:22 pm

Re: openvpn + openldap + google-otp trouble

Post by Altheus » Thu Jul 22, 2021 1:18 pm

I know this is an elderly post but I am also having this problem, did either of you find a solution?

Post Reply