OpenVPN Roadwarriors and AD Auth

NethServer Version: Nethserver 7.9.2009
Module: OpenVPN

While some posts suggests this is possible, I’m in LDAP/AD limbo at the moment. Stop me now I’ve wasted my time even trying.

Fresh install on NS 7.9.2009 joined as a “member” to an existing Active Directory environment, Windows 2012R2.

Users are showing up as expected and I can select a user as a “system” type and can be granted access. (User + Password)

Upon trying to authenticate, no manner of user-id combo or password seems to work. (not sure if it wants a specific @domain suffix… or just a username)

Does this even work with an AD Domain account out-of-the-box?? or is it as I read:

Change to /etc/openvpn/host-to-net.conf and adding:

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so “/etc/openvpn/auth/ldap.conf”

as well as

ldap.conf

URL ldap://prod8.intranet.local BindDN cn=###############,DC=local Password ##############

Timeout 15

TLSEnable no
FollowReferrals yes


BaseDN OU=Staff,OU=Users,OU=################
SearchFilter (&(sAMAccountName=%u)

openvpn log catching a login attempt

Mon Dec 28 16:24:19 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Mon Dec 28 16:24:19 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/host-to-net
Mon Dec 28 16:24:19 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Dec 28 16:24:19 2020 PLUGIN_INIT: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so ‘[/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so] [/etc/openvpn/auth/ldap.conf]’ intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Mon Dec 28 16:24:19 2020 Diffie-Hellman initialized with 1024 bit key
Mon Dec 28 16:24:19 2020 CRL: loaded 1 CRLs from file /var/lib/nethserver/certs/crl.pem
Mon Dec 28 16:24:19 2020 TUN/TAP device tunrw opened
Mon Dec 28 16:24:19 2020 TUN/TAP TX queue length set to 100
Mon Dec 28 16:24:19 2020 /sbin/ip link set dev tunrw up mtu 1500
Mon Dec 28 16:24:19 2020 /sbin/ip addr add dev tunrw 192.168.100.1/24 broadcast 192.168.100.255
Mon Dec 28 16:24:19 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 28 16:24:19 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Dec 28 16:24:19 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Dec 28 16:24:19 2020 UDPv4 link remote: [AF_UNSPEC]
Mon Dec 28 16:24:19 2020 MULTI: multi_init called, r=256 v=256
Mon Dec 28 16:24:19 2020 IFCONFIG POOL: base=192.168.100.2 size=252, ipv6=0
Mon Dec 28 16:24:19 2020 ifconfig_pool_read(), in=’’, TODO: IPv6
Mon Dec 28 16:24:19 2020 IFCONFIG POOL LIST
Mon Dec 28 16:24:19 2020 Initialization Sequence Completed
Mon Dec 28 16:24:23 2020 :50981 TLS: Initial packet from [AF_INET]:50981 (via [AF_INET]###.###.###.###%eth1), sid=b878d950 6f6c1ba3
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_VER=2.4.8
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_PLAT=win
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_PROTO=2
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_NCP=2
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_LZ4=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_LZ4v2=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_LZO=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_COMP_STUB=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_COMP_STUBv2=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_TCPNL=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_GUI_VER=OpenVPN_GUI_11
Unable to enable STARTTLS: Can’t contact LDAP server
LDAP connect failed.
Mon Dec 28 16:24:24 2020 :50981 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec 28 16:24:24 2020 :50981 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Auth ‘username@##############local’ failed, PAM said: Error in service module

@primerpop

Hi

This does work with ldap or AD users out of the box…
I don’t use NethServer as firewall, but I have tested it and was surprised how fast I got it to work…
I do have one client using a hosted NethServer, and OpenVPN to that servers (virtual) internal IP works - with AD users…

My 2 cents
Andy

Two-feet brake stop. Have you ever heard about “configuration fragment”?
AFAIK “out of the box” LDAP-dependant Roadwarrior OpenVPN should not be possible.
Currently options are:

  • OpenVPN user

or

  • system user

But a lot of edits on configuration could be done via “fragments”, that could be later expanded (and written) when the settings are changed on the “GUI” (Cockpit OR NethGUI) without being overwritten.
Also…
AFAIK is not even been considered as “user/customer case”, therefore, i raise the @support_team for bash my fingers if I am wrong…
Maybe your request could be… a interesting user case. Who knows :slight_smile:

Thanks @Andy_Wismer for confirming it is possible.

Seems to be working now. Issue was naming, not very clear in the docs as to what is or isn’t acceptable or any information about how it’s parsed or sliced and how it’s used.

Our network naming is a pattern the form host.geo.XXX.YYY, which confuses Nethserver and it infers things a bit differently. If I break pattern and use an upper-level host name in the form of “host.XXX.YYY” seems to satisfy the immutable pattern inside nethservers that infers names.

1 Like

@pike Thanks. The concept doesn’t elude me, but I’m trying to solve a point problem and not seeking a scolding on my approach. Perhaps consider an approach to be more informative and less condescending (that’s when you talk down to people) .

Scolding was not the purpose of my post, therefore I’m sorry if this what you perceived.
I won’t bug you anymore :slight_smile: