OpenVPN Support Forum

I notice in the plugin api that we can only return success and failure, not something like temporary failure (retry later).

the idea is that you want auth-retry to be none, because you don't want clients to keep retrying when they are set with wrong passwords.

however, when you need maintenance on your ldap server (with the auth-ldap) plugin, or via the verify script, and you turn off the ldap server for a few minutes, reconnects of existing tunnels will fail and exit.

i like the plugin api (and the verify script) to be able to return a 3rd state (temporary failure), which still registers as failed, but still allows the authentication to retry after some time, even if the auth-retry is off.

This allows for example: maintenance on a authentication server.

thanks in advance.

This is an interesting idea. Would you mind bringing this discussion to openvpn-devel@lists.sourceforge.net? There we have more developers which can follow this discussion.

Having that said, I wonder if OPENVPN_PLUGIN_FUNC_DEFERRED can be used in this case. This is a slightly different approach. But this puts authentication on hold until the authentication has completed. But OpenVPN expects another thread to complete the authentication and provide the result via the file given in the $auth_control_file env. variable. Your LDAP authentication could then run async, do the proper reconnect as needed and queue up the auth requests if the connection is broken.

See sample/sample-plugins/defer/simple.c for some more info about this feature