NethServer Version: Nethserver 7.9.2009
Module: OpenVPN
While some posts suggests this is possible, I’m in LDAP/AD limbo at the moment. Stop me now I’ve wasted my time even trying.
Fresh install on NS 7.9.2009 joined as a “member” to an existing Active Directory environment, Windows 2012R2.
Users are showing up as expected and I can select a user as a “system” type and can be granted access. (User + Password)
Upon trying to authenticate, no manner of user-id combo or password seems to work. (not sure if it wants a specific @domain suffix… or just a username)
Does this even work with an AD Domain account out-of-the-box?? or is it as I read:
Change to /etc/openvpn/host-to-net.conf and adding:
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so “/etc/openvpn/auth/ldap.conf”
as well as
ldap.conf
URL ldap://prod8.intranet.local BindDN cn=###############,DC=local Password ##############Timeout 15
TLSEnable no
FollowReferrals yes
BaseDN OU=Staff,OU=Users,OU=################
SearchFilter (&(sAMAccountName=%u)
openvpn log catching a login attempt
Mon Dec 28 16:24:19 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Mon Dec 28 16:24:19 2020 MANAGEMENT: unix domain socket listening on /var/spool/openvpn/host-to-net
Mon Dec 28 16:24:19 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Dec 28 16:24:19 2020 PLUGIN_INIT: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so ‘[/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so] [/etc/openvpn/auth/ldap.conf]’ intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Mon Dec 28 16:24:19 2020 Diffie-Hellman initialized with 1024 bit key
Mon Dec 28 16:24:19 2020 CRL: loaded 1 CRLs from file /var/lib/nethserver/certs/crl.pem
Mon Dec 28 16:24:19 2020 TUN/TAP device tunrw opened
Mon Dec 28 16:24:19 2020 TUN/TAP TX queue length set to 100
Mon Dec 28 16:24:19 2020 /sbin/ip link set dev tunrw up mtu 1500
Mon Dec 28 16:24:19 2020 /sbin/ip addr add dev tunrw 192.168.100.1/24 broadcast 192.168.100.255
Mon Dec 28 16:24:19 2020 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Dec 28 16:24:19 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Mon Dec 28 16:24:19 2020 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Dec 28 16:24:19 2020 UDPv4 link remote: [AF_UNSPEC]
Mon Dec 28 16:24:19 2020 MULTI: multi_init called, r=256 v=256
Mon Dec 28 16:24:19 2020 IFCONFIG POOL: base=192.168.100.2 size=252, ipv6=0
Mon Dec 28 16:24:19 2020 ifconfig_pool_read(), in=’’, TODO: IPv6
Mon Dec 28 16:24:19 2020 IFCONFIG POOL LIST
Mon Dec 28 16:24:19 2020 Initialization Sequence Completed
Mon Dec 28 16:24:23 2020 :50981 TLS: Initial packet from [AF_INET]:50981 (via [AF_INET]###.###.###.###%eth1), sid=b878d950 6f6c1ba3
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_VER=2.4.8
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_PLAT=win
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_PROTO=2
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_NCP=2
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_LZ4=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_LZ4v2=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_LZO=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_COMP_STUB=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_COMP_STUBv2=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_TCPNL=1
Mon Dec 28 16:24:24 2020 :50981 peer info: IV_GUI_VER=OpenVPN_GUI_11
Unable to enable STARTTLS: Can’t contact LDAP server
LDAP connect failed.
Mon Dec 28 16:24:24 2020 :50981 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Dec 28 16:24:24 2020 :50981 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Auth ‘username@##############local’ failed, PAM said: Error in service module