OpenVPN LDAP Auth not working in 3.3.0 but in 3.0.5b1

[Guest]

[Frank0815]

Hello everybody,

on my Endian Community FW 3.0.5 beta 1, OpenVPN is configured with AD authentication.
For auth-user-pass it uses /usr/bin/openvpn-auth via-file. This works

I recently installed a test machine with community version 3.3.0.
I set up the ldap settings as described here:
h**ps://help.endian.com/hc/en-us/articles/218144458-SSL-VPN-How-to-Authenticate-VPN-Users-with-Active-Directory

The settings are basically identical with my working installation.

Authenticating a local user works.
Authenticating an AD User does not work. But I receive a "Benutzer nicht gefunden" / "User not found" message.

tail -f /var/log/endian/authentication

2019-06-13 07:47:35,307 - authentication[2703] - INFO - Endian Authentication Layer startup

Jun 13 08:00:23 endianFWcommunity authentication[2703]: AUTH_STATUS(ACCEPTED) SCOPE(openvpn) USER(localuser) PROVIDER(local)

Jun 13 08:00:36 endianFWcommunity authentication[2703]: AUTH_STATUS(FAILED) SCOPE(openvpn) USER(testvpn) REASON(Benutzer nicht gefunden)

The openvpn.log shows


Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 TLS: Initial packet from [AF_INET]80.187.111.43:6776 (via [AF_INET]<IP>%eth1), sid=a4552829 55a1cacc
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_VER=2.5_master
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_PLAT=android
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_PROTO=2
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_NCP=2
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZ4=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZ4v2=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_LZO=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_COMP_STUB=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_COMP_STUBv2=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_TCPNL=1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.8
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 TLS Auth Error: Auth Username/Password verification failed for peer
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 13 09:53:57 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Peer Connection Initiated with [AF_INET]80.187.111.53:6776 (via [AF_INET]<IP>%eth1)
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 PUSH: Received control message: 'PUSH_REQUEST'
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 Delayed exit in 5 seconds
Jun 13 09:53:58 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Jun 13 09:54:03 endianFWcommunity openvpn[21228]: 80.187.111.53:6776 SIGTERM[soft,delayed-exit] received, client-instance exiting


I can not find more detailed logfiles.
In my old 3.0.5b1 it used openvpn-auth via-file

The 3.3.0 has only openvpn-auth-env and tries to use openvpn-auth-env via-env.

When try openvpn-auth -i on my old machine, and use a wrong password,
I get the same german error "Benutzer nicht gefunden" / "User not found"

The same error, I see in the authentication log on the 3.3.0.

Is there a current manual on how-to get ad authentication with OpenVPN on 3.3.0?
Any ideas?

Greetings

Frank

[Frank0815]

root@endianFWcommunity:/var/efw/openvpn # cat settings

AUTHENTICATION_STACK=ldap,local
CA_FILENAME=cacert.pem
CERT_FILENAME=VPNcert.pem
LDAP_BIND_DN=cn=user,cn=Users,dc=domain,dc=local
LDAP_BIND_PASSWORD=password
LDAP_URI=ldap://1.2.3.4
LDAP_USER_BASEDN=ou=SBSUsers,ou=Users,ou=MyBusiness,dc=domain,dc=local
LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(sAMAccountName=%(u)s))

[Frank0815]

I get the same error, if I enter a wrong IP in my settings file and no LDAP Server behind.
So maybe it is not getting to ldap auth or the settings file is ignored?

[Dark-Vex]

On 3.3 community VPN with LDAP/Active Directory is not supported, the authentication backend is changed and it's only supported on the enterprise version.

[Frank0815]

Oh my dear.
Which is the latest version, that still supports LDAP VPN?

[Dark-Vex]

3.0.5 beta 1 is the last version based on the old platform that support it.