Attempting to force AD authentication for openvpn users

[joshcole]

Here is the script that I am using. I am receiving an error: failed login attempt. Any feedback is appreciated. The perl module that the script is using is installed. I found this script on a website and am a little skeptical of the username and password portion of the script. If the below information is correct should it work? FYI I replaced the actual username and password with placeholders.

path and name of script: /etc/openvpn/openvpn-ad-auth2.pl

#!/usr/bin/perl

use strict;
use Authen::Simple::ActiveDirectory;

my $adserver = '172.16.1.70';
my $principal = 'mydomain.local';

my ($u,$p) = @ENV{qw/username password/};
my $ad = Authen::Simple::ActiveDirectory->new(
host => $adserver,
principal => $principal,
);

exit ( $ad->authenticate($u, $p) ) ? 0 : 128;

[joshcole]

Here is my server.conf as well

dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"

push "dhcp-option DNS 172.16.1.70"

# Use compression on the VPN link
comp-lzo

# Make the link more resistant to connection failures

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

log openvpn.log
log-append openvpn.log

verb 2
--duplicate-cn

client-cert-not-required
auth-user-pass-verify /etc/openvpn/openvpn-ad-auth2.pl via-env

[Mimiko]

I will suggest to ask the question to the script's developer. Maybe you are not configuring script correctly.

[janjust]

the script might work if you use

Code: Select all

script-security 3

In that mode env vars like username and password are passed onto scripts, such as your Perl script.

[joshcole]

I switched gears and am trying to use the openvpn-ldap plugin. I created the config and added the plugin to my server.conf and received this error when I restarted openvpn (openvpn failed to start):

Auth-LDAP Configuration Error: membership key is unknown (auth-ldap.cfg:25).

Thanks for any help you can provide!

[joshcole]

I had made a mistake in my config. Here is the new error:

Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Oct 20 12:34:40 2011 xxx.xxx.xxx.xxx:60446 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA

[joshcole]

This is what I am seeing in the logs now after trying to connect:

Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Re-using SSL/TLS context
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 LZO compression initialized
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel MTU parms [ L:1542 D: 1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Local Options hash (VER=V4): '530f dded'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Expected Remote Options hash (VER= V4): '41690919'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 TLS: Username/Password authenticat ion succeeded for username 'john_smith'
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Encrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Cipher 'BF-C BC' initialized with 128 bit key
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Data Channel Decrypt: Using 160 bi t message hash 'SHA1' for HMAC authentication
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 Control Channel: TLSv1, cipher TLS v1/SSLv3 DHE-RSA-AES256-SHA
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 [] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:64077
LDAP user "john_smith" was not found.
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 PLUGIN_CALL: plugin function PLUGI N_CLIENT_CONNECT failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Thu Oct 20 15:18:11 2011 xxx.xxx.xxx.xxx:64077 WARNING: client-connect plugin cal l failed

[joshcole]

The openvpn-ldap plugin is installed

Here are the new configs:

openvpn server.conf:

dev tun
# Server and client IP and Pool
server 172.19.238.0 255.255.254.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

#client-config-dir ccd
push "route 172.16.0.0 255.255.0.0"

push "dhcp-option DNS 172.16.1.70"

# Use compression on the VPN link
comp-lzo

# Make the link more resistant to connection failures

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

log openvpn.log
log-append openvpn.log

verb 2
--duplicate-cn

script-security 3
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-ldap.so auth-ldap.cfg

openvpn-ldap auth-ldap.cfg:

<LDAP>
# LDAP server URL
URL ldap://172.16.1.70

# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "CN=vpnauth,OU=LDAP,DC=mydomain,DC=local"

# Bind Password
# Password SecretPassword
Password xxxxxx
# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
#TLSEnable yes
TLSEnable no

</LDAP>

<Authorization>

# For active directory, I used sAMAccountName to search by username
# I also configured the original search filter to contain the group membership, instead of using the
# RequireGroup directive below

# Base DN
BaseDN "DC=mydomain,DC=local"

# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u)(memberOf=cn=_VPN,OU=_Groups,DC=mydomain,DC=local))"

# Require Group Membership
RequireGroup false

</Authorization>

[Mimiko]

LDAP user "john_smith" was not found.

Doesn't this seen odd? LDAP plugin worked and tryied to authenticate, but that user does not exists in the Active Directory.

[joshcole]

I placed that there as a placeholder to hide the actual user name. The user definitely exists. Could you suggest where I may be able to get more feedback on this issue?

At this point I am trying to use PAM and radius to authenticate against our Windows radius server for our vpn users. I have googled the heck out of this and can't seem to make it work. Please let me know!

Thanks!

[joshcole]

I downloaded the virtual appliance and configured LDAP on it, got it to a point where it's working. Is there a way to see how it was configured and match the ldap authentication piece? Do they allow access to the configs? If so, does anyone know where I might find them?

[Mimiko]

Could you suggest where I may be able to get more feedback on this issue?

I will suggest to get answers on LDAP forums, as how to configure LDAP access. Also, make a search on this forum for LDAP authentication configuration. For example:
http://forums.openvpn.net/topic8647.html
http://www.howtoforge.com/set-up-openvp ... .0-squeeze

[joshcole]

I've finally been able to authenticate the user which is amazing! I am using a radius plugin to accomplish this. I am still having problems but maybe at this point it's something that you guys can help me address.

The client error log reported this:

Thu Oct 27 14:38:42 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:11: topology (2.0.9)
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: route options modified
Thu Oct 27 14:38:42 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Oct 27 14:38:42 2011 CreateFile failed on TAP device: \\.\Global\{DC090850-52C8-4496-8227-90D67D1E6966}.tap
Thu Oct 27 14:38:42 2011 All TAP-Win32 adapters on this system are currently in use.

I am running Windows 7 64 bit so I am not sure if that has something to do with it. I feel like I almost there. Any help you can provide is much appreciated!

[joshcole]

Ok so I was able to get connected but no traffic is being allowed to pass. Here is what I am seeing in the log. It does show me as being successfully connected, I pulled an ip address and what not but can't ping or access any devices on the remote end.

Thu Oct 27 15:08:18 2011 xxx.xxx.xxx.xxx:50161 Need IPv6 code in mroute_extract_addr_from_packet

[joshcole]

I can ping the ip address of the openvpn server on the 172.16.0 subnet but can't get past that.

[Mimiko]

Disable IPv6 on tun adapter.
Also check firewall rules on server. Forwarding is enabled?