Upgrade Endian 3.0 to 3.05 error login LDAP x Win 2012 Serve

[mjvasconcellos]

Rodrigo Tadeu Alves, May 13, 22:00:
Hello ,
Recently made an update to the version of Endian Firewall 3.0devel to 3.0.5beta1 in my old version i activate OpenVPN authentication in active directory by following the guide below :
"http://help.endian.com/entries/20655202 ... -directory", in the new version this feature does not work correct, only local user connection work. see log:

Wed May 13 16:46:25 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
Wed May 13 16:46:25 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Wed May 13 16:46:25 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Wed May 13 16:46:25 2015 Need hold release from management interface, waiting...
Wed May 13 16:46:26 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Wed May 13 16:46:26 2015 MANAGEMENT: CMD 'state on'
Wed May 13 16:46:26 2015 MANAGEMENT: CMD 'log all on'
Wed May 13 16:46:26 2015 MANAGEMENT: CMD 'hold off'
Wed May 13 16:46:26 2015 MANAGEMENT: CMD 'hold release'
Wed May 13 16:46:33 2015 MANAGEMENT: CMD 'username "Auth" "rodrigo.alves"'
Wed May 13 16:46:33 2015 MANAGEMENT: CMD 'password [...]'
Wed May 13 16:46:33 2015 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed May 13 16:46:33 2015 UDPv4 link local: [undef]
Wed May 13 16:46:33 2015 UDPv4 link remote: [AF_INET]myip:1194
Wed May 13 16:46:33 2015 MANAGEMENT: >STATE:1431546393,WAIT,,,
Wed May 13 16:46:33 2015 MANAGEMENT: >STATE:1431546393,AUTH,,,
Wed May 13 16:46:33 2015 TLS: Initial packet from [AF_INET]myip:1194, sid=ee9ed129 15a74f6b
Wed May 13 16:46:33 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed May 13 16:46:33 2015 VERIFY OK: depth=1, C=IT, O=efw, CN=efw CA
Wed May 13 16:46:33 2015 VERIFY OK: nsCertType=SERVER
Wed May 13 16:46:33 2015 VERIFY OK: depth=0, C=AF, CN=myip
Wed May 13 16:46:33 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed May 13 16:46:33 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 13 16:46:33 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed May 13 16:46:33 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 13 16:46:33 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed May 13 16:46:33 2015 [myip] Peer Connection Initiated with [AF_INET]myip:1194
Wed May 13 16:46:34 2015 MANAGEMENT: >STATE:1431546394,GET_CONFIG,,,
Wed May 13 16:46:35 2015 SENT CONTROL [myip]: 'PUSH_REQUEST' (status=1)
Wed May 13 16:46:35 2015 AUTH: Received control message: AUTH_FAILED
Wed May 13 16:46:35 2015 SIGUSR1[soft,auth-failure] received, process restarting
Wed May 13 16:46:35 2015 MANAGEMENT: >STATE:1431546395,RECONNECTING,auth-failure,,
Wed May 13 16:46:35 2015 Restart pause, 2 second(s)
#configuration /var/efw/openvpn/settings
AUTHENTICATION_STACK=ldap,local
CA_FILENAME=cacert.pem
CLIENT_TO_CLIENT=on
LDAP_BIND_DN=cn=endian,cn=Users,dc=domain,dc=com,dc=br
LDAP_BIND_PASSWORD=pass
LDAP_URI=ldap://mylocalipAD
LDAP_USER_BASEDN=cn=Users,dc=domain,dc=com,dc=br
LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%(u)s))
OPENVPN_ENABLED=on
User connect ok in option Proxy HTTP Authentication,NTLM connection and LDAP.
Configuration OPENVPN Client:
client
dev tap
proto udp
remote myip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ns-cert-type server
ca cacert.pem
verb 3
comp-lzo

[goofy79]

OK, i found the error...

in the file
/etc/openvpn/openvpn.1.conf there was the follow entry

Code: Select all

auth-user-pass-verify "/usr/bin/openvpn-auth-env" via-env

So i changed in the follow file the code like this
/etc/openvpn/openvpn.conf.tmpl

Code: Select all

; auth-user-pass-verify "/usr/bin/openvpn-auth-env" via-env
auth-user-pass-verify "/usr/bin/openvpn-auth" via-file

after this, restart the openVPN Service and the LDAP auth function very fine at my Firewall