LDAP & auth-user-pass-verify script

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Ralf80
OpenVpn Newbie
Posts: 2
Joined: Tue Apr 14, 2020 7:03 pm

LDAP & auth-user-pass-verify script

Post by Ralf80 » Tue Apr 14, 2020 7:58 pm

Hi Everyone

I am using OPENVPN server version 2.4.6 with with LDAP as a backend authentication mechanism.
To this end, I use the LDAP plugin in the form of:

Code: Select all

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
For security reasons, I would like to check using an additional perl script whether the same user
who has the generated certificate authenticates based about LDAP.
The Common Name (CN) value in the generated user certificate is identical to the username LDAP.
It comes down to checking in the script whether the CN = username value in LDAP.
My question:
Whether using the add-in plug-in supporting LDAP libraries (presented above) can simultaneously
use the auth-user-pass-verify directive in the form of:

Code: Select all

auth-user-pass-verify "/root/openvpn/script/ucheck.pl" via-env
?
Below is the fragment server config:

server.conf

script-security 3
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap-stud.conf
verify-client-cert require
auth-user-pass-verify "/root/openvpn/script/ucheck.pl" via-env

client.conf

proto udp
port 1194
remote x.x.x.x 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
auth-retry interact
auth-user-pass
auth-nocache
key-direction 1
tls-auth [inline] 1
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
<ca>
...
</ca>

<cert>
...
</cert>

<key>
...
</key>
key-direction 1
<tls-auth>
...
</tls-auth>

Perl script <ucheck.pl>

Code: Select all

#!/usr/bin/perl -t

# OpenVPN --auth-user-pass-verify script.
# Only authenticate if username equals common_name.

$username = $ENV{'username'};
$common_name = $ENV{'common_name'};

exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name);
After taking into account the above changes, when client1 trying to connect authentication ends
unsuccessful. Fragment of logs on the server:

Code: Select all

Tue Apr 14 16:07:32 2020 us=565998 x.x.x.x:52123 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Tue Apr 14 16:07:32 2020 us=575757 x.x.x.x:52123 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program
Tue Apr 14 16:07:32 2020 us=575879 x.x.x.x:52123 TLS Auth Error: Auth Username/Password verification failed for peer
WRTue Apr 14 16:07:32 2020 us=576805 x.x.x.x:52123 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Apr 14 16:07:32 2020 us=576892 x.x.x.x:52123 [client1] Peer Connection Initiated with [AF_INET]x.x.x.x:52123
RTue Apr 14 16:07:33 2020 us=830908 x.x.x.x:52123 PUSH: Received control message: 'PUSH_REQUEST'
Tue Apr 14 16:07:33 2020 us=831033 x.x.x.x:52123 Delayed exit in 5 seconds
Tue Apr 14 16:07:33 2020 us=831075 x.x.x.x:52123 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
WWWTue Apr 14 16:07:38 2020 us=953881 x.x.x.x:52123 SIGTERM[soft,delayed-exit] received, client-instance exiting
ucheck.pl file access rights are as follows:

Code: Select all

-rwxr-x---. 1 root nobody  344 Apr 14 15:33 ucheck.pl
I will be grateful for any tip or answer. :)
Last edited by Pippin on Tue Apr 14, 2020 9:05 pm, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: LDAP & auth-user-pass-verify script

Post by TinCanTech » Tue Apr 14, 2020 8:06 pm

Ralf80 wrote:
Tue Apr 14, 2020 7:58 pm
Tue Apr 14 16:07:32 2020 us=575757 x.x.x.x:52123 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program
This is the ERROR (not warning!) which you need to fix.

Ralf80
OpenVpn Newbie
Posts: 2
Joined: Tue Apr 14, 2020 7:03 pm

Re: LDAP & auth-user-pass-verify script

Post by Ralf80 » Tue Apr 14, 2020 8:28 pm

Unfortunately, this is my first OPENVPN server and I'm a beginner.
At first I thought that this is a problem in access rights to the ucheck.pl script file,
but after the modification the same error still appears.
I don't really understand what this error message can be caused: auth-user-pass-verify: could not execute external program.

I have read many posts here in this forum, and I have searched many similar OPENVPN forums.
Unfortunately, I did not find a clue that could give me a specific answer to this error.

Post Reply