Openvpn 플러그인 openvpn-auth-ldap이 Active Directory에 바인딩되지 않습니다.

tag-icon tag-icon openvpn
Openvpn 플러그인 openvpn-auth-ldap이 Active Directory에 바인딩되지 않습니다.

Active Directory LDAP를 통해 사용자에게 권한을 부여하기 위해 openvpn-auth-ldap 플러그인을 사용하여 OpenVPN을 구성하려고 합니다. 플러그인 옵션 없이 동일한 서버 구성을 사용하고 생성된 클라이언트 키와 인증서로 클라이언트 구성을 추가하면 연결이 성공하므로 플러그인에 문제가 있습니다.

서버.conf:

plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn-test/openvpn-auth-ldap.conf"
port 1194
proto tcp
dev tun
keepalive 10 60
topology subnet
server 10.0.2.0 255.255.255.0
tls-server
ca ca.crt
dh dh1024.pem
cert server.crt
key server.key
#crl-verify crl.pem
persist-key
persist-tun
user nobody
group nogroup
verb 3
mute 20

openvpn-auth-ldap.conf:

<LDAP>
    URL             ldap://dc1.domain:389
    TLSEnable       no
    BindDN          cn=bot_auth,cn=Users,dc=domain
    Password        bot_auth
    Timeout         15
    FollowReferrals yes
</LDAP>

<Authorization>
        BaseDN          "cn=Users,dc=domain"
        SearchFilter    "(sAMAccountName=%u)"
        RequireGroup    false
#        <Group>
#                BaseDN          "ou=groups,dc=mycompany,dc=local"
#                SearchFilter    "(|(cn=developers)(cn=artists))"
#                MemberAttribute uniqueMember
#        </Group>
</Authorization>

AD의 최상위 도메인은 역사적인 이유로 사용됩니다. 아날로그 구성은 mod-authzn-ldap의 Apache 2.2에서 작동합니다. 사용자와 비밀번호가 정확합니다.

클라이언트.conf:

remote server_name
port 1194
proto tcp
client
pull
remote-cert-tls server
dev tun
resolv-retry infinite
nobind
ca ca.crt
; with keys - works fine
#cert test.crt
#key test.key
; without keys - by password
auth-user-pass
persist-tun
verb 3
mute 20

PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn-test/openvpn-auth-ldap.conf]'서버 로그에는 해당 플러그인이 실패했음을 나타내는 문자열이 있습니다 . dc1.domain:389에 텔넷으로 연결할 수 있으므로 이는 네트워크/방화벽 문제가 아닙니다. 나중에 서버에 따르면 TLS Error: TLS object -> incoming plaintext read error TLS handshake failed플러그인 없이는 사용 키 인증을 시도합니다.

서버 로그:

Tue Nov 22 03:06:20 2011 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
Tue Nov 22 03:06:20 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 22 03:06:20 2011 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn-test/openvpn-auth-ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Tue Nov 22 03:06:20 2011 Diffie-Hellman initialized with 1024 bit key
Tue Nov 22 03:06:20 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Nov 22 03:06:20 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Nov 22 03:06:20 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:20 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:20 2011 TLS-Auth MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Nov 22 03:06:20 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Nov 22 03:06:20 2011 TUN/TAP device tun1 opened
Tue Nov 22 03:06:20 2011 TUN/TAP TX queue length set to 100
Tue Nov 22 03:06:20 2011 /sbin/ifconfig tun1 10.0.2.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.2.255
Tue Nov 22 03:06:20 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Nov 22 03:06:20 2011 GID set to nogroup
Tue Nov 22 03:06:20 2011 UID set to nobody
Tue Nov 22 03:06:20 2011 Listening for incoming TCP connection on [undef]
Tue Nov 22 03:06:20 2011 TCPv4_SERVER link local (bound): [undef]
Tue Nov 22 03:06:20 2011 TCPv4_SERVER link remote: [undef]
Tue Nov 22 03:06:20 2011 MULTI: multi_init called, r=256 v=256
Tue Nov 22 03:06:20 2011 IFCONFIG POOL: base=10.0.2.2 size=252
Tue Nov 22 03:06:20 2011 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Nov 22 03:06:20 2011 Initialization Sequence Completed
Tue Nov 22 03:07:10 2011 MULTI: multi_create_instance called
Tue Nov 22 03:07:10 2011 Re-using SSL/TLS context
Tue Nov 22 03:07:10 2011 Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Nov 22 03:07:10 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Nov 22 03:07:10 2011 Local Options hash (VER=V4): 'c413e92e'
Tue Nov 22 03:07:10 2011 Expected Remote Options hash (VER=V4): 'd8421bb0'
Tue Nov 22 03:07:10 2011 TCP connection established with [AF_INET]10.0.0.9:47808
Tue Nov 22 03:07:10 2011 TCPv4_SERVER link local: [undef]
Tue Nov 22 03:07:10 2011 TCPv4_SERVER link remote: [AF_INET]10.0.0.9:47808
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS: Initial packet from [AF_INET]10.0.0.9:47808, sid=a2cd4052 84b47108
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS Error: TLS object -> incoming plaintext read error
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS Error: TLS handshake failed
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 Fatal TLS error (check_tls_errors_co), restarting
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Nov 22 03:07:11 2011 TCP/UDP: Closing socket

클라이언트 로그:

Tue Nov 22 03:06:18 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Enter Auth Username:user
Enter Auth Password:
Tue Nov 22 03:06:25 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 22 03:06:25 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Nov 22 03:06:25 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:25 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:25 2011 Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Nov 22 03:06:25 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Nov 22 03:06:25 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Nov 22 03:06:25 2011 Local Options hash (VER=V4): 'd8421bb0'
Tue Nov 22 03:06:25 2011 Expected Remote Options hash (VER=V4): 'c413e92e'
Tue Nov 22 03:06:25 2011 Attempting to establish TCP connection with [AF_INET]10.0.0.2:1194 [nonblock]
Tue Nov 22 03:06:26 2011 TCP connection established with [AF_INET]10.0.0.2:1194
Tue Nov 22 03:06:26 2011 TCPv4_CLIENT link local: [undef]
Tue Nov 22 03:06:26 2011 TCPv4_CLIENT link remote: [AF_INET]10.0.0.2:1194
Tue Nov 22 03:06:26 2011 TLS: Initial packet from [AF_INET]10.0.0.2:1194, sid=7a3c2a0f bd35bca7
Tue Nov 22 03:06:26 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Nov 22 03:06:26 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/[email protected]
Tue Nov 22 03:06:26 2011 Validating certificate key usage
Tue Nov 22 03:06:26 2011 ++ Certificate has key usage  00a0, expects 00a0
Tue Nov 22 03:06:26 2011 VERIFY KU OK
Tue Nov 22 03:06:26 2011 Validating certificate extended key usage
Tue Nov 22 03:06:26 2011 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Nov 22 03:06:26 2011 VERIFY EKU OK
Tue Nov 22 03:06:26 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/[email protected]
Tue Nov 22 03:06:26 2011 Connection reset, restarting [0]
Tue Nov 22 03:06:26 2011 TCP/UDP: Closing socket
Tue Nov 22 03:06:26 2011 SIGUSR1[soft,connection-reset] received, process restarting
Tue Nov 22 03:06:26 2011 Restart pause, 5 second(s)
^CTue Nov 22 03:06:27 2011 SIGINT[hard,init_instance] received, process exiting

openvpn-auth-ldap 연결 방법을 아는 사람이 있나요?

답변1

찾았어요! client-cert-not-required서버 구성에서 f***g 옵션을 잊어버렸습니다 .

누군가 관심이 있다면 무슨 일이 일어나고 있는지 조사하는 동안 LDAP를 통해 사용자를 확인하기 위해 외부 스크립트를 작성했습니다. openvpn-auth-ldap은 필요하지 않지만 ldap-utils를 설치해야 합니다.

서버 구성에서:

script-security 2
auth-user-pass-verify ldap-check-user.sh via-env

LDAP-체크-user.sh:

#!/bin/bash

bind_dn="cn=<user>,cn=Users,dc=domain,dc=com"
bind_pass="<password>"
host=rserver
port=389

dn=`ldapsearch -x -D "$bind_dn" -w $bind_pass -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=radix-tools" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" "dn" | cut -d':' -f 2`

if [ $? != 0 ]; then
        echo "Error: user $username not found."
        exit 1
fi

ldapsearch -x -D "$dn" -w $password -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=domain,dc=com" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" > /dev/null 2>&1

if [ $? != 0 ]; then
        echo "Error: password for $username is incorrect."
        exit 1
fi

exit 0

답변2

하지 말아야 할 것

BaseDN "cn=Users,dc=도메인" 및 BindDN cn=bot_auth,cn=Users,dc=도메인

BE

BaseDN "cn=사용자,dc=도메인,dc=로컬" 및 BindDN cn=bot_auth,cn=Users,dc=도메인,dc=로컬

아니면 dc=com 또는 FQDN이 무엇인가요?

관련 정보