OPENVPN & Active Directory authentication
Posted: Thu Jul 11, 2013 10:12 am
Good day people!
This is my first time posting a problem online so if i have missed any formalities please inform me.
We are currently trying to setup an OpenVPN server on a Debian 6.0 dist(32-BIT) and connect it to a Windows 2008(R2)
so that users can VPN-login via an Active Directory account.
We installed openvpn through apt-get install openvpn and openvpn-auth-ldap
Configured IPTABLES so that the VPN server forwards traffic etc..
We have created the Keyfiles needed and tested login via them as well, it works and we can find the internal servers when connected through the key files.
So far the VPN connection also works for Users created on the local Debian Machine when we used the PAM module, however when we change the module to ldap and try connect to the Windows server we get the follow errors in /var/log/daemon.log
LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)
Unable to bind as cn=Administrator,ou=Users,dc=server,dc=li**.local
Our admin account is located under the OU Users and we are 100% certain that it's the correct credentials.
This is our main openvpn.conf
port 2450
proto udp
dev tun
ca ca.crt
cert VPN.crt
key VPN.key
dh dh1024.pem
server 192.168.100.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
#push "redirect-gateway"
client-to-client
push "dhcp-option DNS 192.168.5.6"
push "route 192.168.5.0 255.255.255.0"
#push "dhcp-option WINS 192.168.1.5"
keepalive 5 30
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
This is our /etc/openvpn/auth/ldap.conf file
<LDAP>
# LDAP server URL
URL ldap://Ma**.li**.local:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
#BindDN uid=Administrator,ou=Users,dc=Ma**,dc=li**.local
BindDN Administrator@li**.local
# Bind Password
Password secret
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
# TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
# TLSCertFile /usr/local/etc/ssl/client-cert.pem
# TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
#BaseDN "CN=Users,DC=test,DC=com"
BaseDN "CN=Users,DC=Ma**,DC=li**.local"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
#SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"
SearchFilter "(&(sAMAccountName=%u))"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "CN=Grupper,DC=Ma**,DC=li**.local"
SearchFilter "(cn=VPN)"
MemberAttribute "member"
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
All help would be deeply appreciated.
MVH Bengan
This is my first time posting a problem online so if i have missed any formalities please inform me.
We are currently trying to setup an OpenVPN server on a Debian 6.0 dist(32-BIT) and connect it to a Windows 2008(R2)
so that users can VPN-login via an Active Directory account.
We installed openvpn through apt-get install openvpn and openvpn-auth-ldap
Configured IPTABLES so that the VPN server forwards traffic etc..
We have created the Keyfiles needed and tested login via them as well, it works and we can find the internal servers when connected through the key files.
So far the VPN connection also works for Users created on the local Debian Machine when we used the PAM module, however when we change the module to ldap and try connect to the Windows server we get the follow errors in /var/log/daemon.log
LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1)
Unable to bind as cn=Administrator,ou=Users,dc=server,dc=li**.local
Our admin account is located under the OU Users and we are 100% certain that it's the correct credentials.
This is our main openvpn.conf
port 2450
proto udp
dev tun
ca ca.crt
cert VPN.crt
key VPN.key
dh dh1024.pem
server 192.168.100.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
#push "redirect-gateway"
client-to-client
push "dhcp-option DNS 192.168.5.6"
push "route 192.168.5.0 255.255.255.0"
#push "dhcp-option WINS 192.168.1.5"
keepalive 5 30
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
This is our /etc/openvpn/auth/ldap.conf file
<LDAP>
# LDAP server URL
URL ldap://Ma**.li**.local:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
#BindDN uid=Administrator,ou=Users,dc=Ma**,dc=li**.local
BindDN Administrator@li**.local
# Bind Password
Password secret
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
# TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
# TLSCertFile /usr/local/etc/ssl/client-cert.pem
# TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
#BaseDN "CN=Users,DC=test,DC=com"
BaseDN "CN=Users,DC=Ma**,DC=li**.local"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
#SearchFilter "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"
SearchFilter "(&(sAMAccountName=%u))"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "CN=Grupper,DC=Ma**,DC=li**.local"
SearchFilter "(cn=VPN)"
MemberAttribute "member"
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
All help would be deeply appreciated.
MVH Bengan