Estou tentando configurar o OpenVPN com o plugin openvpn-auth-ldap para autorizar usuários via LDAP do Active Directory. Quando eu uso a mesma configuração do servidor sem a opção de plugin e adiciono a configuração do cliente com a chave e o certificado do cliente gerados, a conexão é bem-sucedida, então o problema está no plugin.
servidor.conf:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn-test/openvpn-auth-ldap.conf"
port 1194
proto tcp
dev tun
keepalive 10 60
topology subnet
server 10.0.2.0 255.255.255.0
tls-server
ca ca.crt
dh dh1024.pem
cert server.crt
key server.key
#crl-verify crl.pem
persist-key
persist-tun
user nobody
group nogroup
verb 3
mute 20
openvpn-auth-ldap.conf:
<LDAP>
URL ldap://dc1.domain:389
TLSEnable no
BindDN cn=bot_auth,cn=Users,dc=domain
Password bot_auth
Timeout 15
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "cn=Users,dc=domain"
SearchFilter "(sAMAccountName=%u)"
RequireGroup false
# <Group>
# BaseDN "ou=groups,dc=mycompany,dc=local"
# SearchFilter "(|(cn=developers)(cn=artists))"
# MemberAttribute uniqueMember
# </Group>
</Authorization>
O domínio de nível superior no AD é usado por motivos históricos. A configuração analógica está funcionando para Apache 2.2 em mod-authzn-ldap. Usuário e senha estão corretos.
cliente.conf:
remote server_name
port 1194
proto tcp
client
pull
remote-cert-tls server
dev tun
resolv-retry infinite
nobind
ca ca.crt
; with keys - works fine
#cert test.crt
#key test.key
; without keys - by password
auth-user-pass
persist-tun
verb 3
mute 20
No log do servidor há uma string PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn-test/openvpn-auth-ldap.conf]'
que indica que o plugin falhou. Posso telnetar para dc1.domain:389, então isso não é problema de rede/firewall. Mais tarde, o servidor diz TLS Error: TLS object -> incoming plaintext read error TLS handshake failed
- sem plugin, ele tenta fazer a autenticação de chave usual.
registro do servidor:
Tue Nov 22 03:06:20 2011 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
Tue Nov 22 03:06:20 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 22 03:06:20 2011 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn-test/openvpn-auth-ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Tue Nov 22 03:06:20 2011 Diffie-Hellman initialized with 1024 bit key
Tue Nov 22 03:06:20 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Tue Nov 22 03:06:20 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Nov 22 03:06:20 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:20 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:20 2011 TLS-Auth MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Nov 22 03:06:20 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Nov 22 03:06:20 2011 TUN/TAP device tun1 opened
Tue Nov 22 03:06:20 2011 TUN/TAP TX queue length set to 100
Tue Nov 22 03:06:20 2011 /sbin/ifconfig tun1 10.0.2.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.2.255
Tue Nov 22 03:06:20 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Nov 22 03:06:20 2011 GID set to nogroup
Tue Nov 22 03:06:20 2011 UID set to nobody
Tue Nov 22 03:06:20 2011 Listening for incoming TCP connection on [undef]
Tue Nov 22 03:06:20 2011 TCPv4_SERVER link local (bound): [undef]
Tue Nov 22 03:06:20 2011 TCPv4_SERVER link remote: [undef]
Tue Nov 22 03:06:20 2011 MULTI: multi_init called, r=256 v=256
Tue Nov 22 03:06:20 2011 IFCONFIG POOL: base=10.0.2.2 size=252
Tue Nov 22 03:06:20 2011 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Nov 22 03:06:20 2011 Initialization Sequence Completed
Tue Nov 22 03:07:10 2011 MULTI: multi_create_instance called
Tue Nov 22 03:07:10 2011 Re-using SSL/TLS context
Tue Nov 22 03:07:10 2011 Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Nov 22 03:07:10 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Nov 22 03:07:10 2011 Local Options hash (VER=V4): 'c413e92e'
Tue Nov 22 03:07:10 2011 Expected Remote Options hash (VER=V4): 'd8421bb0'
Tue Nov 22 03:07:10 2011 TCP connection established with [AF_INET]10.0.0.9:47808
Tue Nov 22 03:07:10 2011 TCPv4_SERVER link local: [undef]
Tue Nov 22 03:07:10 2011 TCPv4_SERVER link remote: [AF_INET]10.0.0.9:47808
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS: Initial packet from [AF_INET]10.0.0.9:47808, sid=a2cd4052 84b47108
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS Error: TLS object -> incoming plaintext read error
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 TLS Error: TLS handshake failed
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 Fatal TLS error (check_tls_errors_co), restarting
Tue Nov 22 03:07:11 2011 10.0.0.9:47808 SIGUSR1[soft,tls-error] received, client-instance restarting
Tue Nov 22 03:07:11 2011 TCP/UDP: Closing socket
registro do cliente:
Tue Nov 22 03:06:18 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Enter Auth Username:user
Enter Auth Password:
Tue Nov 22 03:06:25 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Nov 22 03:06:25 2011 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Tue Nov 22 03:06:25 2011 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:25 2011 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 22 03:06:25 2011 Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Nov 22 03:06:25 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Nov 22 03:06:25 2011 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Tue Nov 22 03:06:25 2011 Local Options hash (VER=V4): 'd8421bb0'
Tue Nov 22 03:06:25 2011 Expected Remote Options hash (VER=V4): 'c413e92e'
Tue Nov 22 03:06:25 2011 Attempting to establish TCP connection with [AF_INET]10.0.0.2:1194 [nonblock]
Tue Nov 22 03:06:26 2011 TCP connection established with [AF_INET]10.0.0.2:1194
Tue Nov 22 03:06:26 2011 TCPv4_CLIENT link local: [undef]
Tue Nov 22 03:06:26 2011 TCPv4_CLIENT link remote: [AF_INET]10.0.0.2:1194
Tue Nov 22 03:06:26 2011 TLS: Initial packet from [AF_INET]10.0.0.2:1194, sid=7a3c2a0f bd35bca7
Tue Nov 22 03:06:26 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Nov 22 03:06:26 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/[email protected]
Tue Nov 22 03:06:26 2011 Validating certificate key usage
Tue Nov 22 03:06:26 2011 ++ Certificate has key usage 00a0, expects 00a0
Tue Nov 22 03:06:26 2011 VERIFY KU OK
Tue Nov 22 03:06:26 2011 Validating certificate extended key usage
Tue Nov 22 03:06:26 2011 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Nov 22 03:06:26 2011 VERIFY EKU OK
Tue Nov 22 03:06:26 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/[email protected]
Tue Nov 22 03:06:26 2011 Connection reset, restarting [0]
Tue Nov 22 03:06:26 2011 TCP/UDP: Closing socket
Tue Nov 22 03:06:26 2011 SIGUSR1[soft,connection-reset] received, process restarting
Tue Nov 22 03:06:26 2011 Restart pause, 5 second(s)
^CTue Nov 22 03:06:27 2011 SIGINT[hard,init_instance] received, process exiting
Alguém sabe como obter a conexão openvpn-auth-ldap?
Responder1
Eu encontrei! Esqueci a opção f***g client-cert-not-required
na configuração do servidor.
Se alguém estiver interessado, durante minha pesquisa sobre o que está acontecendo, escrevi um script externo para verificar o usuário através do LDAP. Nenhum openvpn-auth-ldap é necessário, mas você precisa instalar o ldap-utils.
Na configuração do servidor:
script-security 2
auth-user-pass-verify ldap-check-user.sh via-env
ldap-check-user.sh:
#!/bin/bash
bind_dn="cn=<user>,cn=Users,dc=domain,dc=com"
bind_pass="<password>"
host=rserver
port=389
dn=`ldapsearch -x -D "$bind_dn" -w $bind_pass -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=radix-tools" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" "dn" | cut -d':' -f 2`
if [ $? != 0 ]; then
echo "Error: user $username not found."
exit 1
fi
ldapsearch -x -D "$dn" -w $password -h $host -p $port -LLL -s sub \
-b "cn=Users,dc=domain,dc=com" "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$username))" > /dev/null 2>&1
if [ $? != 0 ]; then
echo "Error: password for $username is incorrect."
exit 1
fi
exit 0
Responder2
Não deveria
BaseDN "cn=Usuários,dc=domínio" e BindDN cn=bot_auth,cn=Usuários,dc=domínio
Ser
BaseDN "cn=Usuários,dc=domínio,dc=local" e BindDN cn=bot_auth,cn=Usuários,dc=domínio,dc=local
Ou dc=com ou qualquer que seja o seu FQDN?