OpenVPN authentication via Active Directory

[hack3rcon]

Hello,
I installed the openvpn-auth-ldap package and I want to use the Active Directory for authentication.
I Opened Active Directory Users And Computers application on Windows OS. Clicked the View menu and selected Advanced Features. After it, I right-clicked on my username and selected the Properties, then clicked the Object tab. I found the following information:

Code: Select all

megaman.xyz/Informatic/Network/Central Office/Jason Long

I right-clicked on the Active Directory Users And Computers application and selected Properties and then clicked on the Attribute Editor tab, found the distinguishedName attribute:

Code: Select all

CN=NTDS Settings,CN=DC2-MainBranch,CN=Servers,CN=MainBranch,CN=Sites,CN=Configuration,DC=megaman,DC=xyz

I edited the auth-ldap.conf file as below:

Code: Select all

<LDAP>
    URL         ldap://DC2-MainBranch.megaman.xyz
    BindDN      "CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz"
    Password    MY_AD_Password
    Timeout     15
    TLSEnable    no
    FollowReferrals no
</LDAP>
<Authorization>
    BaseDN        "OU=Informatic/Network/Central Office,dc=megaman,dc=xyz"
    SearchFilter  "(samaccountname=%u)"
    RequxyzeGroup    false
    <Group>
        BaseDN          "CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz"        
        SearchFilter  "(samaccountname=%u)"
        MemberAttribute    uniqueMember
    </Group>
</Authorization>

I started the OpenVPN and when I want to connect to my server, the client showed me wrong credentials. Try again... error.
I checked the OpenVPN log and it showed me the following error:

Code: Select all

Unable to bind as CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz
LDAP connect failed.
2023-09-02 02:25:39 10.0.2.16:56792 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2023-09-02 02:25:39 10.0.2.16:56792 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
2023-09-02 02:25:39 10.0.2.16:56792 TLS Auth Error: Auth Username/Password verification failed for peer
2023-09-02 02:25:39 10.0.2.16:56792 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-02 02:25:39 10.0.2.16:56792 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2023-09-02 02:25:39 10.0.2.16:56792 Delayed exit in 5 seconds
2023-09-02 02:25:39 10.0.2.16:56792 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-09-02 02:25:39 10.0.2.16:56792 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-09-02 02:25:39 10.0.2.16:56792 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2023-09-02 02:25:39 10.0.2.16:56792 Peer Connection Initiated with [AF_INET]10.0.2.16:56792
2023-09-02 02:25:41 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2023-09-02 02:25:44 10.0.2.16:56792 SIGTERM[soft,delayed-exit] received, client-instance exiting

To check the LDAP, I used the following command and it can see my Active Directory:

Code: Select all

# ldapsearch -H ldap://172.20.1.7 -D "jason@megaman.xyz" -W

How to solve it?

Thank you.

[RemoteOne]

I have not used the openvpn-auth-ldap package so I cannot be 100% sure of my answer but

In auth-ldap.conf you mention
URL ldap://DC2-MainBranch.megaman.xyz
BindDN "CN=DC2-MainBranch,OU=Informatic/Network/Central Office,DC=megaman,DC=xyz"

The BindDN looks to be a Computer name. I am pretty sure it should be a user with permission to search the BaseDN

By the way, I would recommend you look at using nss-pam-ldap instead which will allow to to configure google-authenticator as an extra layer of security for your connections.