OpenVPN Support Forum

Posted: **Wed Jul 21, 2021 1:06 pm**

Hi, having resolved my LDAP issue, I'm now facing the issue that, when I add the otp.so plugin to my server config and a line asking for a google authenticator challenge to my client the ldap authentication fails while the otp shows successful authentication in the logs.

When I revert to the server and client config that work, ldap authentication starts working again.

Something isn't right here, I think it is the client configuration, I'm half convinced that the client is passing the password and otp information to the server as the password.

Here is the relevant part of the client file, can anyone see what is wrong?

Code: Select all

client
dev tun
proto udp
remote xxx.xxx.xxx.xxx 1194
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
auth-user-pass
auth-nocache
reneg-sec 0
static-challenge "Enter Google Authenticator Token" 1

Posted: **Wed Jul 21, 2021 2:49 pm**

I'm having a strange problem. I have an openvpn server on ubuntu that is set up for authentication with LDAP and will authenticate me correctly, however, when I add the OTP plugin to the server configuration the ldap authentication stops working.

I think the client is passing the password and otp code as the password for LDAP and that's why it isn't working. What am I missing? Is this what is happening?

Server Config:

Code: Select all

local 10.180.8.4
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
#user nobody
#group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
log-append /var/log/openvpn/openvpn.log
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
verify-client-cert none
plugin /usr/lib/openvpn/openvpn-otp.so "debug=1 password_is_cr=1 otp_secrets=/etc/openvpn/auth/otp-secrets"

Client config

Code: Select all

auth-user-pass
auth-nocache
client
dev tun
proto udp
remote 51.143.185.109 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
verb 3
static-challenge "Enter Google Authenticator Token" 1

Posted: **Tue Feb 15, 2022 4:14 pm**

Hi @Altheus,

Did you manage to configure openldap + google authenticator ?

Regards.

Posted: **Mon Sep 30, 2024 2:49 pm**

Ditto. I think I am trying something similar using the openvpn-auth-ldap.so plugin for ldap and using the openvpn-plugin-auth-pam.so plugin for PAM. My client config prompts for otp input with static-challenge "Google Authenticator" 1.
The ldap authentication was working before I added the otp functionality. It does seem like the ldap password is getting merged with the otp because I see from the logs that the ldap authentication is failing first.

Posted: **Mon Sep 30, 2024 4:39 pm**

In my case, I ended up switching to use openvpn-otp.so instead of the pam plugin. I had difficulty at first, but then realized I was missing "PasswordIsCR true" in my ldap auth config. Turns out that was also what I had been missing in the pam setup.

In any case, I would not have found that out without the nice documentation in the openvpn-otp.so github.

Posted: **Mon Oct 07, 2024 1:38 am**

I wanted to do that a while ago and it didn't work either.

OpenVPN Support Forum

Openvpn LDAP and OTP from google authenticator

Openvpn LDAP and OTP from google authenticator

Openvpn LDAP and Google authenticator

Re: Openvpn LDAP and OTP from google authenticator

Re: Openvpn LDAP and OTP from google authenticator

Re: Openvpn LDAP and OTP from google authenticator

Re: Openvpn LDAP and OTP from google authenticator