[SOLVED] OpenVPN LDAP Auth to Azure AD DS

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
ajftek
OpenVpn Newbie
Posts: 2
Joined: Fri Apr 08, 2022 1:19 pm

[SOLVED] OpenVPN LDAP Auth to Azure AD DS

Post by ajftek » Fri Apr 08, 2022 2:24 pm

I have configured LDAP on my OpenVPN AS to authenticate to Azure Active Directory Domain Services, but keep getting "invalid credentials" error for any user. I have reset the password for the user on Azure AAD and verified the username and password are correct.

Using the Microsoft LDP.exe ldap tool i can successfully bind and authenticate to Azure AAD DS


./authcli --user --pass , however returns and "invalid credentials" with the same username and password.

Here are the LDAP settings for my OpenVPN AS Server:

Bind DN:
CN=ldapquery, OU=AADDC Users, DC=sec****, DC=com
Password: •••••••••

Base DN for User Entries:
OU=AADDC Users,DC=sec*****,DC=com

Username Attribute:
sAMAccountName




Bind Output
# This is a comment
---------Windows utility LDP.exe ---------
CN=LDAP Lookup,OU=AADDC Users,DC=sec***,DC=com
Expanding base 'CN=LDAP Lookup,OU=AADDC Users,DC=sec***,DC=com'...
Getting 1 entries:
Dn: CN=LDAP Lookup,OU=AADDC Users,DC=sec***,DC=com
accountExpires: 9223372036854775807 (never);
cn: LDAP Lookup;
codePage: 0;
countryCode: 0;
displayName: LDAP Lookup;
distinguishedName: CN=LDAP Lookup,OU=AADDC Users,DC=sec***,DC=com;

sAMAccountName: ldapquery;
sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT

userPrincipalName: ldapquery@sec***;

-----------bind using LDP.exe------
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='andrew'; Pwd=<unavailable>; domain = 'sec****.com'}
Authenticated as: 'SEC****\andrew'.
-------------------------------------

-----------simple bind using LDP.exe---------
res = ldap_simple_bind_s(ld, 'andrew@sec***.com', <unavailable>); // v.3
Authenticated as: 'SEC**\andrew'.
-----------

---------------------------------------------authcli----------------
root@openvpn-access-server-6-vm:/usr/local/openvpn_as/scripts# ./authcli --user andrew
API METHOD: authenticate
Password:
AUTH_RETURN
status : COM_FAULT
reason : not well-formed (invalid token): line 12, column 229: web/xmlrpc:470,python2.7/xmlrpclib:1144,python2.7/xmlrpclib:558 (xml.parsers.expat.ExpatError)
user : andrew
root@openvpn-access-server-6-vm:/usr/local/openvpn_as/scripts#
root@openvpn-access-server-6-vm:/usr/local/openvpn_as/scripts#
----------------------------------------end authcli-------




---------debug messages-------

root@openvpn-access-server-6-vm:/usr/local/openvpn_as/scripts# tail -50 /var/log/openvpnas.log


2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 DEBUG AUTHLDAP: EXTENDED:ldap message sent via <ldaps://ldaps.sec***.com:636 - ssl - user: CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com - not lazy - unbound - open - <local: 10.150.0.7:58214 - remote: 21.**.140.191:636> - tls not started - listening - SyncStrategy - internal decoder>:
2022-04-08T13:44:32+0000 [stdout#info] >>LDAPMessage:
2022-04-08T13:44:32+0000 [stdout#info] >> messageID=34
2022-04-08T13:44:32+0000 [stdout#info] >> protocolOp=ProtocolOp:
2022-04-08T13:44:32+0000 [stdout#info] >> bindRequest=BindRequest:
2022-04-08T13:44:32+0000 [stdout#info] >> version=3
2022-04-08T13:44:32+0000 [stdout#info] >> name=CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com
2022-04-08T13:44:32+0000 [stdout#info] >> authentication=AuthenticationChoice:
2022-04-08T13:44:32+0000 [stdout#info] >> simple=<stripped 20 characters of sensitive data>
2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 DEBUG AUTHLDAP: NETWORK:sent 90 bytes via <ldaps://ldaps.sec***.com:636 - ssl - user: CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com - not lazy - unbound - open - <local: 10.150.0.7:58214 - remote: 21.**.140.191:636> - tls not started - listening - SyncStrategy - internal decoder>



2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 DEBUG AUTHLDAP: NETWORK:received 110 bytes via <ldaps://ldaps.sec***.com:636 - ssl - user: CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com - not lazy - unbound - open - <local: 10.150.0.7:58214 - remote: 21.**.140.191:636> - tls not started - listening - SyncStrategy - internal decoder>


2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 DEBUG AUTHLDAP: NETWORK:received 1 ldap messages via <ldaps://ldaps.sec***.com:636 - ssl - user: CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com - not lazy - unbound - open - <local: 10.150.0.7:58214 - remote: 21.**.140.191:636> - tls not started - listening - SyncStrategy - internal decoder>


2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 DEBUG AUTHLDAP: EXTENDED:ldap message received via <ldaps://ldaps.sec***.com:636 - ssl - user: CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com - not lazy - unbound - open - <local: 10.150.0.7:58214 - remote: 21.**.140.191:636> - tls not started - listening - SyncStrategy - internal decoder>:
2022-04-08T13:44:32+0000 [stdout#info] <<{'controls': None,
2022-04-08T13:44:32+0000 [stdout#info] << 'messageID': 34,
2022-04-08T13:44:32+0000 [stdout#info] << 'payload': [(0, False, 10, 49),
2022-04-08T13:44:32+0000 [stdout#info] << (0, False, 4, ''),
2022-04-08T13:44:32+0000 [stdout#info] << (0,
2022-04-08T13:44:32+0000 [stdout#info] << False,
2022-04-08T13:44:32+0000 [stdout#info] << 4,
2022-04-08T13:44:32+0000 [stdout#info] << '80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580\x00')],
2022-04-08T13:44:32+0000 [stdout#info] << 'protocolOp': 1}


2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 DEBUG AUTHLDAP: PROTOCOL:operation result <{'dn': u'', 'saslCreds': None, 'referrals': None, 'description': 'invalidCredentials', 'result': 49, 'message': u'80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580\x00', 'type': 'bindResponse'}> for <ldaps://ldaps.sec***.com:636 - ssl - user: CN=ldapquery, OU=AADDC Users, DC=sec***, DC=com - not lazy - unbound - open - <local: 10.150.0.7:58214 - remote: 21.**.140.191:636> - tls not started - listening - SyncStrategy - internal decoder>



2022-04-08T13:44:32+0000 [stdout#info] 2022-04-08 13:44:32 INFO AUTHLDAP: LDAP invalid credentials on ldaps://ldaps.sec***.com: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580 - bindResponse - None (facility='initialize [ldaps.sec***.com]') (user='andrew')

===========================================end of debug messages=========================



Any help would be appreciated.

Thanks
ajftek
Last edited by ajftek on Fri Apr 08, 2022 3:24 pm, edited 2 times in total.
Top
ajftek
OpenVpn Newbie
Posts: 2
Joined: Fri Apr 08, 2022 1:19 pm

Re: OpenVPN LDAP Auth to Azure AD DS

Post by ajftek » Fri Apr 08, 2022 3:00 pm

I got it working.

I set :

Bind DN: CN=Andrew Francis,OU=AADDC Users,DC=sec****,DC=com
Password: ****** ( with the RIGHT password )

Now it works !

--------------------------
root@openvpn-access-server-6-vm:/usr/local/openvpn_as/scripts# ./authcli --user andrew
API METHOD: authenticate
Password:
AUTH_RETURN
status : SUCCEED
session_id : AS_KkgC5JPrqLniDEOz4o79ZA==
reason : LDAP auth succeeded on ldaps://ldaps.sec***.com
expire : 1649433402
user : andrew
proplist : {'prop_deny': 'false', 'prop_autogenerate': 'true'}
root@openvpn-access-server-6-vm:/usr/local/openvpn_as/scripts#

-------------------------------

Cheers,

Ajftek
Top
Post Reply

Return to “The OpenVPN Access Server”