Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 02:52:04 pm

Login with username, password and session length

Download the latest community FREE version  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  OpenVPN LDAP Auth not working in 3.3.0 but in 3.0.5b1
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: OpenVPN LDAP Auth not working in 3.3.0 but in 3.0.5b1  (Read 35769 times)
Frank0815
Jr. Member
*
Offline Offline

Posts: 5



« on: Thursday 13 June 2019, 06:44:38 pm »

Hello everybody,

on my Endian Community FW 3.0.5 beta 1, OpenVPN is configured with AD authentication.
For auth-user-pass it uses /usr/bin/openvpn-auth via-file. This works

I recently installed a test machine with community version 3.3.0.
I set up the ldap settings as described here:
h**ps://help.endian.com/hc/en-us/articles/218144458-SSL-VPN-How-to-Authenticate-VPN-Users-with-Active-Directory

The settings are basically identical with my working installation.

Authenticating a local user works.
Authenticating an AD User does not work. But I receive a "Benutzer nicht gefunden" / "User not found" message.

tail -f /var/log/endian/authentication

2019-06-13 07:47:35,307 - authentication[2703] - INFO - Endian Authentication Layer startup

Jun 13 08:00:23 endianFWcommunity authentication[2703]: AUTH_STATUS(ACCEPTED) SCOPE(openvpn) USER(localuser) PROVIDER(local)

Jun 13 08:00:36 endianFWcommunity authentication[2703]: AUTH_STATUS(FAILED) SCOPE(openvpn) USER(testvpn) REASON(Benutzer nicht gefunden)

The openvpn.log shows


Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 TLS: Initial packet from [AF_INET]80.187.111.43:6776 (via [AF_INET]<IP>%eth1), sid=a4552829 55a1cacc
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_VER=2.5_master
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_PLAT=android
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_PROTO=2
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_NCP=2
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZ4=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZ4v2=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZO=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_COMP_STUB=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_COMP_STUBv2=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_TCPNL=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 TLS Auth Error: Auth Username/Password verification failed for peer
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Peer Connection Initiated with [AF_INET]80.187.111.53:6776 (via [AF_INET]<IP>%eth1)
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Delayed exit in 5 seconds
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Jun 13 09:54:03 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 SIGTERM[soft,delayed-exit] received, client-instance exiting


I can not find more detailed logfiles.
In my old 3.0.5b1 it used openvpn-auth via-file

The 3.3.0 has only openvpn-auth-env and tries to use openvpn-auth-env via-env.

When try openvpn-auth -i on my old machine, and use a wrong password,
I get the same german error "Benutzer nicht gefunden" / "User not found"

The same error, I see in the authentication log on the 3.3.0.

Is there a current manual on how-to get ad authentication with OpenVPN on 3.3.0?
Any ideas?

Greetings

Frank
Logged
Frank0815
Jr. Member
*
Offline Offline

Posts: 5



« Reply #1 on: Thursday 13 June 2019, 06:58:37 pm »

root@endianFWcommunity:/var/efw/openvpn # cat settings

AUTHENTICATION_STACK=ldap,local
CA_FILENAME=cacert.pem
CERT_FILENAME=VPNcert.pem
LDAP_BIND_DN=cn=user,cn=Users,dc=domain,dc=local
LDAP_BIND_PASSWORD=password
LDAP_URI=ldap://1.2.3.4
LDAP_USER_BASEDN=ou=SBSUsers,ou=Users,ou=MyBusiness,dc=domain,dc=local
LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%(u)s))
Logged
Frank0815
Jr. Member
*
Offline Offline

Posts: 5



« Reply #2 on: Thursday 13 June 2019, 07:16:33 pm »

I get the same error, if I enter a wrong IP in my settings file and no LDAP Server behind.
So maybe it is not getting to ldap auth or the settings file is ignored?
Logged
Dark-Vex
Sr. Member
****
Offline Offline

Posts: 105


« Reply #3 on: Friday 14 June 2019, 12:30:34 am »

On 3.3 community VPN with LDAP/Active Directory is not supported, the authentication backend is changed and it's only supported on the enterprise version.
Logged
Frank0815
Jr. Member
*
Offline Offline

Posts: 5



« Reply #4 on: Friday 14 June 2019, 03:37:29 pm »

Oh my dear.
Which is the latest version, that still supports LDAP VPN?
Logged
Dark-Vex
Sr. Member
****
Offline Offline

Posts: 105


« Reply #5 on: Friday 14 June 2019, 11:07:39 pm »

3.0.5 beta 1 is the last version based on the old platform that support it.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com