OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

It is possible to configure that the commonName of the certificate have to be equal to the LDAP login name ?

https://forums.openvpn.net/viewtopic.php?t=35869

Page 1 of 1

It is possible to configure that the commonName of the certificate have to be equal to the LDAP login name ?

Posted: Wed Jun 21, 2023 3:38 pm
by tmdd
Sorry, if this is a simple question, but I couldn't find the sollution.

I use the following lines to let the server check for a valid SSL certificate AND a valid OpenLDAP authentification:

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/auth-ldap.conf
verify-client-cert require
username-as-common-name

It works fine, the OpenVPN server only allows clients with a valid certificate and a valid LDAP account.
But OpenVPN does not stop the connection if the commonName of the certificate is different from the OpenLDAP login name.

So for example Alice can use the certificate from Bob and use here login alice to start the connection.
On the server there are messages like:
... alice/10.11.12.13:12345 MULTI: bad source address from client [10.11.12.13:], packet dropped
but the connection is still active.

Is there any way to make OpenVPN stop connections when the commonName of the certificate is not equal to the LDAP login name ?

Re: It is possible to configure that the commonName of the certificate have to be equal to the LDAP login name ?

Posted: Fri Jun 23, 2023 9:49 am
by tmdd
I have successfully tried the following configuration:

Code: Select all

...
verify-client-cert require
auth-user-pass-verify /etc/openvpn/auth-ldap-with-pam.pl via-file
script-security 3
...
and copied and patched the perl script to: /etc/openvpn/auth-ldap-with-pam.pl

Code: Select all

# cp -a /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl /etc/openvpn/auth-ldap-with-pam.pl
# cp -a /etc/openvpn/auth-ldap-with-pam.pl /etc/openvpn/auth-ldap-with-pam.pl.org
# vim /etc/openvpn/auth-ldap-with-pam.pl
# diff -c /etc/openvpn/auth-ldap-with-pam.pl /etc/openvpn/auth-ldap-with-pam.pl.org
*** /etc/openvpn/auth-ldap-with-pam.pl	Fri Jun 23 09:16:44 2023
--- /etc/openvpn/auth-ldap-with-pam.pl.org	Wed Dec 15 06:33:53 2021
***************
*** 76,91 ****
  
  close (UPFILE);
  
- # check if the Common Name from the certificate is equal to the login name
- my $cn=$ENV{X509_0_CN};
- if ( "$username" ne "$cn" ) {
- 	print "ERROR OpenVPN login: the X509_0_CN '".$cn."' from the certificate is not equal to the login '".$username."' for the PAM authentication\n";
- 	exit 1;
- }
- else {
- 	print "DEBUG: the X509_0_CN '".$cn."' from the certificate was equal to the login '".$username."' for the PAM authentication\n";
- }
- 
  # Initialize PAM object
  
  if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
--- 76,81 ----
#
But this is using an authentification agains PAM and writes the login and password temporaerly in a text file, which is a security risk.
If anybody knows a better method (without "auth-user-pass-verify "), write it here please. Thanks.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/