x-itec / openvpn-auth-ldap Goto Github PK

What steps will reproduce the problem?
1. Build auth-ldap from r1379 SVN and against openvpn 2.3.6, with patches from 
Issue #43.
2. run tests/tests

What is the expected output? What do you see instead?
Self-tests should pass. Instead, these are failures:
[mandree@apollo ~/VCS-other/openvpn-auth-ldap.svn]$ tests/tests 2>&1 | grep 
failed
Test case -[TRLDAPAccountRepositoryTests test_initWithLDAPConnection] 
(TRLDAPAccountRepositoryTests.m:57) failed with error: 'config == 
((id)((void*)0))' should be false. Legacy assertion 'config == nil' failed
Test case -[TRAuthLDAPConfigTests test_initWithConfigFile] 
(TRAuthLDAPConfigTests.m:60) failed with error: 'config == ((void *)0)' should 
be false. Legacy assertion 'config == NULL' failed
Test case -[TRAuthLDAPConfigTests test_initWithMissingTrailingNewline] 
(TRAuthLDAPConfigTests.m:122) failed with error: 'config == ((void *)0)' should 
be false. Legacy assertion 'config == NULL' failed
Test case -[TRLDAPConnectionTests testInit] (TRLDAPConnectionTests.m:62) failed 
with error: 'config == ((void *)0)' should be false. Legacy assertion 'config 
== NULL' failed
Test case -[TRConfigLexerTests testParse] (TRConfigLexerTests.m:65) failed with 
error: 'configFD == -1' should be false. Legacy assertion 'configFD == -1' 
failed
Test case -[TRConfigTests testInitWithFD] (TRConfigTests.m:94) failed with 
error: 'configFD == -1' should be false. Legacy assertion 'configFD == -1' 
failed


What version of the product are you using? On what operating system?
SVN r1379 on FreeBSD 9.3-RELEASE, amd64, with libobjc2 (which is a new 
GNU-compatible and clang-compatible ObjC runtime) and openldap-client-2.4.40_1

Trying to bind to company ldap with this kind of ldap.conf:

<LDAP>
  URL ldap://ldap.example.com:389
  BindDN cn=Company DirManager,dc=example,dc=com
  Password password
  Timeout 15
  TLSEnable no
  FollowReferrals no
  TLSCACertFile /usr/local/etc/ssl/ca.pem
  TLSCACertDir /etc/ssl/certs
  TLSCertFile /usr/local/etc/ssl/client-cert.pem
  TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>

<Authorization>
  BaseDN dc=example,dc=com
  SearchFilter "(&(sAMAccountName=%u))"
  RequireGroup false

</Authorization>

openvpn-auth-ldap fails to bind to ldap and gives error message:
"A parse error occured while attempting to comprehend DirManager, on line 3"


Operating system is Ubuntu 12.04 LTS server and OpenVPN version: 2.2.1.

Hi,

This is syslog error I get during OpenVPN start:

ovpn-ldap[5643]: Options error: Unrecognized option or missing parameter(s) in 
/etc/openvpn/ldap.conf:1: LDAP (2.2.1)

On a first line of /etc/openvpn/ldap.conf contains <LDAP>

If I turn the plugin off - everything works fine.

Environment :

openvpn: 2.2.1-8+deb7u2
openvpn-auth-ldap: 2.0.3-5.1
OS : Debian 7.7

Plugin was installed using common installer - "aptitude install 
openvpn-auth-ldap" and "aptitude install openvpn"

What steps will reproduce the problem?

testplugin /etc/openvpn/rusers.auth
Username: shin.andrey
Password: 
Authorization Failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-connect failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-disconnect failed!

What is the expected output? What do you see instead?

I see that the authorization was successful, but getting that fail

What version of the product are you using? On what operating system?

OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 20 2008
auth-ldap-2.0.3
DISTRIB_DESCRIPTION="Ubuntu 8.04"
Linux dir 2.6.24-16-server

Please provide any additional information below.

<LDAP> 
        URL             ldap://dir   
        BindDN          cn=admin,dc=XXX,dc=local      
        Password        pass
        Timeout         15
</LDAP>
<Authorization>    
        BaseDN          "dc=XXX,dc=local"     
        SearchFilter     "(&(objectClass=posixAccount)(cn=%u))"   
        RequireGroup    true      
        <Group>
                BaseDN              "ou=groups,dc=XXX,dc=local"
                SearchFilter        "(cn=Jabber)"
                MemberAttribute     memberUid       
        </Group>
</Authorization>

ldapsearch -x -b "ou=groups,dc=XXX,dc=local" -D "cn=admin,dc=XXX,dc=local"
-W "(&(cn=Jabber)(memberUid=shin.andrey))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=XXX,dc=local> with scope subtree
# filter: (&(cn=Jabber)(memberUid=shin.andrey))
# requesting: ALL
#

# Jabber, groups, XXX.local
dn: cn=Jabber,ou=groups,dc=XXX,dc=local
objectClass: posixGroup
objectClass: top
cn: Jabber
gidNumber: 1006
memberUid: shin.andrey

What steps will reproduce the problem?
1. If I try to run /testplugin /etc/openvpn/ldapconf/auth-ldap.conf, using the 
URL     ldap://192.168.3.25 config, it works
2. If i run it with URL     ldaps://192.168.3.25, it doesn't work

192.168.3.25 is a domain controller with ldap and ldaps ports open.  We have 
servers that authenticate against this host using ldaps.

What is the expected output? What do you see instead?
When using LDAP:
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!

LDAP bind failed immediately: Can't contact LDAP server ((unknown error code))
Unable to bind as [email protected]
LDAP connect failed.
Authorization Failed!

What version of the product are you using? On what operating system?

I'm using auth-ldap-2.0.3 on Ubuntu 10.10 server

Please provide any additional information below.

#auth-ldap.conf 

<LDAP>
    # LDAP server URL
    URL     ldaps://192.168.3.25

    # Bind DN (If your LDAP server doesn't support anonymous binds)
    # BindDN        uid=Manager,ou=People,dc=example,dc=com
    BindDN          [email protected]

    # Bind Password
    # Password  SecretPassword
    Password    SomePassword    

    # Network timeout (in seconds)
    Timeout     15

    # Enable Start TLS
    TLSEnable   yes

    # Follow LDAP Referrals (anonymously)
    FollowReferrals yes

    # TLS CA Certificate File
    #TLSCACertFile  /usr/local/etc/ssl/ca.pem

    # TLS CA Certificate Directory
    #TLSCACertDir   /etc/ssl/certs

    # Client Certificate and key
    # If TLS client authentication is required
    #TLSCertFile    /usr/local/etc/ssl/client-cert.pem
    #TLSKeyFile /usr/local/etc/ssl/client-key.pem

    # Cipher Suite
    # The defaults are usually fine here
    # TLSCipherSuite    ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
    # Base DN
    BaseDN      OU=SBSUsers,OU=Users,OU=MyBusiness,DC=XXX,DC=YYY

    # User Search Filter
    SearchFilter    "(SAMAccountName=%u)"

    # Require Group Membership
    RequireGroup    false

What steps will reproduce the problem?
1. Configure openldap-auth-ldap to connect to an LDAP server with TLS enabled
2. Connect to openvpn
3. Run tcpdump -A -s 0 -n -i br0 port 389 on the ldap server 

You will see that that the bind-DN and password are transmitted in cleartext.

What is the expected output? What do you see instead?

The plugin sends the bind-DN and password in cleartext. The plugin should not 
bind to a TLS-enabled LDAP server until STARTTLS is issued. 

What version of the product are you using? On what operating system?

2.0.3 on Debian squeeze

Please provide any additional information below.

This bug is listed on the Debian bug tracker, and someone has posted a patch 
that fixes the problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610339

What steps will reproduce the problem?
1. create a configuration file that lacks the trailing EOL character (LF)
2. src/testplugin this-testconfigfile-without-LF
3. see assert() abort the code with:

Assertion failed: (_limit - _cursor >= 0), function -[TRConfigLexer fill:], 
file TRConfigLexer.re, line 117.

Reference to FreeBSD bugtracker: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190497

What is the expected output? What do you see instead?

The expected output is that the configuration is parsed properly.

What version of the product are you using? On what operating system?

SVN r1379, FreeBSD 9.3/10.1.

Please provide any additional information below.

The attached patch fixes this problem by simplifying EOI detection and making 
it robust (rather than relying on the sentinel character).

Note that TRLocalPacketFilter.m requires two #import statements:

#import "TRLog.h"
#import "xmalloc.h"

What steps will reproduce the problem?
1. ./configure --prefix=/usr/local --with-openldap=/usr/local --with-
openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2

What is the expected output? What do you see instead?
configure: error: Could not locate a working OpenLDAP library installation. Try 
--with-
openldap=
See `config.log' for more details.

What version of the product are you using? On what operating system?
auth-ldap configure 2.0 Ubuntu Server

Please provide any additional information below.
Here's my config.log:
this file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by auth-ldap configure 2.0, which was
generated by GNU Autoconf 2.60. Invocation command line was

$ ./configure --prefix=/usr/local --with-openldap=/usr/local --with-
openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2

## --------- ##
## Platform. ##
## --------- ##

hostname = ldapsrv1.csaa.local
uname -m = i686
uname -r = 2.6.24-23-server
uname -s = Linux
uname -v = #1 SMP Thu Nov 27 19:19:15 UTC 2008

/usr/bin/uname -p = unknown
/bin/uname -X = unknown

/bin/arch = unknown
/usr/bin/arch -k = unknown
/usr/convex/getsysinfo = unknown
/usr/bin/hostinfo = unknown
/bin/machine = unknown
/usr/bin/oslevel = unknown
/bin/universe = unknown

PATH: /usr/local/sbin
PATH: /usr/local/bin
PATH: /usr/sbin
PATH: /usr/bin
PATH: /sbin
PATH: /bin
PATH: /usr/games


## ----------- ##
## Core tests. ##
## ----------- ##

configure:1781: checking build system type
configure:1799: result: i686-pc-linux-gnu
configure:1821: checking host system type
configure:1836: result: i686-pc-linux-gnu
configure:1858: checking target system type
configure:1873: result: i686-pc-linux-gnu
configure:1951: checking for gcc
"config.log" 688L, 22406C
configure:2426: result:
configure:2432: checking for suffix of object files
configure:2458: gcc -c conftest.c >&5
configure:2461: $? = 0
configure:2484: result: o
configure:2488: checking whether we are using the GNU C compiler
configure:2517: gcc -c conftest.c >&5
configure:2523: $? = 0
configure:2530: test -z "$ac_c_werror_flag" || test ! -s conftest.err
configure:2533: $? = 0
configure:2540: test -s conftest.o
configure:2543: $? = 0
configure:2557: result: yes
configure:2562: checking whether gcc accepts -g
configure:2592: gcc -c -g conftest.c >&5
configure:2598: $? = 0
configure:2605: test -z "$ac_c_werror_flag" || test ! -s conftest.err
configure:2608: $? = 0
configure:2615: test -s conftest.o
configure:2618: $? = 0
configure:2748: result: yes
configure:2765: checking for gcc option to accept ISO C89
configure:2839: gcc -c -g -O2 conftest.c >&5
configure:2845: $? = 0
configure:2852: test -z "$ac_c_werror_flag" || test ! -s conftest.err
configure:2855: $? = 0
configure:2862: test -s conftest.o
configure:2865: $? = 0
configure:2885: result: none needed
configure:2957: checking for gcc
configure:2973: found /usr/bin/gcc
configure:2984: result: gcc
configure:3014: checking for Objective C compiler version
configure:3017: gcc --version </dev/null >&5
gcc (GCC) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

configure:3020: $? = 0
configure:3022: gcc -v </dev/null >&5
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v 
--enable-languages=c,c++,fortran,objc,obj-c++,treelang 
--prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib 
--without-
included-gettext --enable-threads=posix --enable-nls --with-gxx-include-
dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu 
--enable-libstdcxx-
debug --enable-objc-gc --enable-mpfr --enable-targets=all 
--enable-checking=release --
build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
configure:3025: $? = 0
configure:3027: gcc -V </dev/null >&5
gcc: '-V' option must have argument
configure:3030: $? = 1
configure:3033: checking whether we are using the GNU Objective C compiler
configure:3062: gcc -c conftest.m >&5
gcc: error trying to exec 'cc1obj': execvp: No such file or directory
configure:3068: $? = 1
configure: failed program was:
| /* confdefs.h. */
| #define PACKAGE_NAME "auth-ldap"
| #define PACKAGE_TARNAME "auth-ldap"
| #define PACKAGE_VERSION "2.0"
| #define PACKAGE_STRING "auth-ldap 2.0"
| #define PACKAGE_BUGREPORT "[email protected]"
| /* end confdefs.h. */
|
| int
| main ()
| {
| #ifndef __GNUC__
| choke me
| #endif
|
| ;
| return 0;
| }
configure:3102: result: no
configure:3108: checking whether gcc accepts -x objective-c
configure:3134: gcc -c -x objective-c conftest.m >&5
gcc: error trying to exec 'cc1obj': execvp: No such file or directory
configure:3140: $? = 1
configure: failed program was:
| /* confdefs.h. */
| #define PACKAGE_NAME "auth-ldap"
| #define PACKAGE_TARNAME "auth-ldap"
| #define PACKAGE_VERSION "2.0"
| #define PACKAGE_STRING "auth-ldap 2.0"
| #define PACKAGE_BUGREPORT "[email protected]"
| /* end confdefs.h. */
|
| int
| main ()
| {
|
| ;
| return 0;

What steps will reproduce the problem?
1. Setup openldap server that has just ldaps:/ access
2. Set options TLSCACertFile to point to the CA root certificate
3. openvpn-auth-ldap will not be able to connect to the ldap server 
because it will do a bind before setting the TLS parameters.

What is the expected output? What do you see instead?
Anyways I guess it is better to set up the TLS transport and do the bind
afterwards. The other issue is that the option TLSEnable should be called 
TLSstart or something. URL ldaps:// together with the option TLSEnable 
will report an error.

What version of the product are you using? On what operating system?
OS: FreeBSD 7.0, openvpn-auth-ldap: 2.0.3


Please provide any additional information below.

[deleted issue]

What steps will reproduce the problem?
Try to build SVN checkout from trunk r1379 on FreeBSD

What is the expected output? What do you see instead?
Expected: build
Result: build errors about undefined TRLog* symbols or va_list symbols, or 
building tests/tests, about undefined linker symbols.

The three attached patches fix the problem, and the src/* patches seem obvious 
enough.

NOTE the patch-tests_Makefile.in adding -lcheck to LIBS in tests/Makefile.in is 
a crude hack and should be replaced by the older @CHECK_LIBS@ code that used to 
be in release 2.0.3 but has been removed post release, or by other decent code.

I have observed some strange behavior with pfsense+openvpn & ldap 
authentication.

Setup
-------
- My setup has pfsense 1.2.3 (& openvpn bundled with it) & OpenDS 2.2 as ldap 
provider. 
- In ldap, I have base DN as "dc=baseorg,dc=com".
- There are two sub domains - "dc=orgone,dc=baseorg,dc=com", 
"dc=orgtwo,dc=baseorg,dc=com".
- Theres a user in each subdomain called "testuser".
- BaseDN in authorization section of the config is set to "dc=baseorg,dc=com".
- RequireGroup is set to false

Behavior - 1 
---------------
Test: If I try to authenticate with [email protected]
Expected Behavior - Ideally auth should fail as the user belongs to one of the 
sub-domain.
Actual Behavior - User gets authenticated successfully.
Question - Is this an expected behavior?


Behavior - 2
---------------
Test: If I try to authenticate with junk values [email protected]
Expected Behavior - Ideally auth should fail with an error message for 
incorrect username or domain.
Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP 
DN "cn=testuser,dc=orgtwo,dc=baseorg,dc=com".
Question - How come "cn=testuser,dc=orgtwo,dc=baseorg,dc=com" is referred when 
the values are junk?

Hello,

how can I configure this plugin, when I have multiple OUs with Users. 

->OU1
-->OU2
-->OU3
--->OU4
->OU5

I´ve created a group named "VPN-Users", where the Users were into. How did I 
configure the conf file?

Thanks in advanced.
Nico

I have debian i installed openvpn from sources.
I am installing ldap plugin and i have this problem:
0.9ter:/usr/share/openvpn/auth-ldap-2.0.3# ./configure --with-openvpn
openvpn-2.0
configure: WARNING: you should use --build, --host, --target
checking build system type... Invalid configuration `openvpn-2.0.9':
machine `openvpn' not recognized
configure: error: /bin/sh ./config.sub openvpn-2.0.9 failed

What version of the product are you using? On what operating system?
FreeBSD 8.0
openldap 2.4.21
openvpn 2.1.1
openvpn-auth-ldap-2.0.3

Please provide any additional information below.

I am unable to get openvpn to authenticate against an OpenLDAP server that 
does not allow anonymous binds to search for uids. Below are logs from an 
auth via lighttpd and from openvpn.
You can see that lighttpd binds using its service account, checks the 
account object exists, and then attempts a bind using the discovered DN 
for the user.
Openvpn-auth-ldap however appears to bind using the service account and 
then to rebind as anonymous: AUTHZ anonymous. This then means it cannot 
find the user that is connecting and so it fails.


Lighttpd
========
slapd[80287]: conn=1003 fd=13 ACCEPT from IP=10.0.9.2:58061 
(IP=10.0.9.2:389)
slapd[80287]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[80287]: conn=1003 op=0 STARTTLS
slapd[80287]: conn=1003 op=0 RESULT oid= err=0 text=
slapd[80287]: conn=1003 fd=13 TLS established tls_ssf=256 ssf=256
slapd[80287]: conn=1003 op=1 BIND 
dn="uid=lighttpd,ou=services,dc=tector,dc=org,dc=uk" method=128
slapd[80287]: conn=1003 op=1 BIND 
dn="uid=lighttpd,ou=services,dc=tector,dc=org,dc=uk" mech=SIMPLE ssf=0
slapd[80287]: conn=1003 op=1 RESULT tag=97 err=0 text=
slapd[80287]: conn=1003 op=2 SRCH base="ou=users,dc=tector,dc=org,dc=uk" 
scope=2 deref=0 filter="(uid=richard)"
slapd[80287]: conn=1003 op=2 SRCH attr=1.1
slapd[80287]: conn=1003 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[80287]: conn=1004 fd=16 ACCEPT from IP=10.0.9.2:13430 
(IP=10.0.9.2:389)
slapd[80287]: conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[80287]: conn=1004 op=0 STARTTLS
slapd[80287]: conn=1004 op=0 RESULT oid= err=0 text=
slapd[80287]: conn=1004 fd=16 TLS established tls_ssf=256 ssf=256
slapd[80287]: conn=1004 op=1 BIND 
dn="uid=richard,ou=users,dc=tector,dc=org,dc=uk" method=128
slapd[80287]: conn=1004 op=1 BIND 
dn="uid=richard,ou=users,dc=tector,dc=org,dc=uk" mech=SIMPLE ssf=0
slapd[80287]: conn=1004 op=1 RESULT tag=97 err=0 text=
slapd[80287]: conn=1004 op=2 UNBIND
slapd[80287]: conn=1004 fd=16 closed


Openvpn-auth-ldap
=================
slapd[80287]: conn=1045 fd=13 ACCEPT from IP=10.0.9.2:43556 
(IP=10.0.9.2:389)
slapd[80287]: conn=1045 op=0 BIND 
dn="uid=openvpn,ou=services,dc=tector,dc=org,dc=uk" method=128
slapd[80287]: conn=1045 op=0 BIND 
dn="uid=openvpn,ou=services,dc=tector,dc=org,dc=uk" mech=SIMPLE ssf=0
slapd[80287]: conn=1045 op=0 RESULT tag=97 err=0 text=
slapd[80287]: conn=1045 op=1 EXT oid=1.3.6.1.4.1.1466.20037
slapd[80287]: conn=1045 op=1 STARTTLS
slapd[80287]: conn=1045 op=1 AUTHZ anonymous mech=starttls ssf=0
slapd[80287]: conn=1045 op=1 RESULT oid= err=0 text=
slapd[80287]: conn=1045 fd=13 TLS established tls_ssf=256 ssf=256
slapd[80287]: conn=1045 op=2 SRCH base="ou=users,dc=tector,dc=org,dc=uk" 
scope=2 deref=0 filter="(uid=richard)"
slapd[80287]: conn=1045 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[80287]: conn=1045 op=3 UNBIND
slapd[80287]: conn=1045 fd=13 closed

Hello to all.


We have an AD with diferent OU's

For example :

IT
Finance

inside this OU's are users, is the plugin able to search recursive at
thouse OU's ?

BR

What steps will reproduce the problem?
1. configured the openvpn 
2. configured the openldap
3. struck with integrating this two with open-auth-ldap.conf
   not sure how to proceed?

What is the expected output? What do you see instead?
as such no output

What version of the product are you using? On what operating system?

ubuntu 8.04 LTs Server 

Please provide any additional information below.

What steps will reproduce the problem?
1. at my windows client, right click on client.ovpn
2. start openvpn on this config file
3. insert user and pass

What is the expected output? What do you see instead?
I see: No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Instead of: Connected.

What version of the product are you using? On what operating system?
openvpn 2.0.9 and auth-ldap-2.0.3 in FreeBSD 6.2

Please provide any additional information below.
When i try to connect with my openvpn windows client i get this on my log
of openvpn server:

Fri Aug 22 05:33:46 2008 us=707255 MULTI: multi_create_instance called
Fri Aug 22 05:33:46 2008 us=707378 172.16.0.12:4901 Re-using SSL/TLS context
Fri Aug 22 05:33:46 2008 us=707629 172.16.0.12:4901 Control Channel MTU
parms [ L:1577 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707678 172.16.0.12:4901 Data Channel MTU parms
[ L:1577 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707771 172.16.0.12:4901 Fragmentation MTU parms
[ L:1577 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707863 172.16.0.12:4901 Local Options String:
'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto UDPv4,mtu-dynamic,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Aug 22 05:33:46 2008 us=707957 172.16.0.12:4901 Expected Remote Options
String: 'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto
UDPv4,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Aug 22 05:33:46 2008 us=708019 172.16.0.12:4901 Local Options hash
(VER=V4): '002d8bc3'
Fri Aug 22 05:33:46 2008 us=708116 172.16.0.12:4901 Expected Remote Options
hash (VER=V4): 'cb29316b'
Fri Aug 22 05:33:46 2008 us=708214 172.16.0.12:4901 TLS: Initial packet
from 172.16.0.12:4901, sid=84f43e9e dccd5cf2
Fri Aug 22 05:33:46 2008 us=788470 172.16.0.12:4901 VERIFY OK: depth=1,
/C=PT/ST=LX/L=LISBOA/O=P_P/OU=IF/CN=syndrome.onsite.pt/emailAddress=pedro@pessoa
seprocessos.com
Fri Aug 22 05:33:46 2008 us=788834 172.16.0.12:4901 VERIFY OK: depth=0,
/C=PT/ST=LX/O=P_P/OU=IF/CN=syndrome.onsite.pt/emailAddress=pedro@pessoaseprocess
os.com
Fri Aug 22 05:33:46 2008 us=804979 172.16.0.12:4901 PLUGIN_CALL: POST
/usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Aug 22 05:33:46 2008 us=805218 172.16.0.12:4901 TLS: Username/Password
authentication succeeded for username 'pedro'
Fri Aug 22 05:33:46 2008 us=805773 172.16.0.12:4901 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 22 05:33:46 2008 us=805850 172.16.0.12:4901 Data Channel Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 22 05:33:46 2008 us=806047 172.16.0.12:4901 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 22 05:33:46 2008 us=806102 172.16.0.12:4901 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 22 05:33:46 2008 us=810544 172.16.0.12:4901 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Aug 22 05:33:46 2008 us=810621 172.16.0.12:4901 [syndrome.onsite.pt]
Peer Connection Initiated with 172.16.0.12:4901
No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Fri Aug 22 05:33:46 2008 us=813079 syndrome.onsite.pt/172.16.0.12:4901
PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT
status=1
Fri Aug 22 05:33:46 2008 us=813213 syndrome.onsite.pt/172.16.0.12:4901
PLUGIN_CALL: plugin function PLUGIN_CLIENT_CONNECT failed with status 1:
/usr/local/lib/openvpn-auth-ldap.so
Fri Aug 22 05:33:46 2008 us=813377 syndrome.onsite.pt/172.16.0.12:4901
WARNING: client-connect plugin call failed
Fri Aug 22 05:33:47 2008 us=694000 syndrome.onsite.pt/172.16.0.12:4901
PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug 22 05:33:47 2008 us=694127 syndrome.onsite.pt/172.16.0.12:4901 SENT
CONTROL [syndrome.onsite.pt]: 'AUTH_FAILED' (status=1)
Fri Aug 22 05:33:47 2008 us=694255 syndrome.onsite.pt/172.16.0.12:4901
Delayed exit in 5 seconds

What is the expected output? What do you see instead?

The expected output is to work. but it does not. 

What version of the product are you using? On what operating system?
auth-ldap-2.0.3. operation System = Debian 5.0.

Please provide any additional information below :

Here is how the group looks like in ldap :

dn: ou=Group,dc=users,dc=test,dc=loc
ou: Group                             
objectClass: top                      
objectClass: organizationalUnit 

dn: cn=admins,ou=Group,dc=users,dc=test,dc=loc
objectClass: posixGroup                         
objectClass: top                                
cn: admins                                      
gidNumber: 1000                                 
memberUid: username

dn: cn=vpn,ou=Group,dc=users,dc=test,dc=loc
objectClass: posixGroup                      
objectClass: top                             
cn: vpn                                      
gidNumber: 5000    

# Here is the output of the ldap search :

users:/# ldapsearch -D "cn=admin,dc=users,dc=test,dc=loc" -W -x -b
"ou=Group,dc=users,dc=test,dc=loc" "(|(cn=admins)(cn=vpn))" "memberUid"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=users,dc=test,dc=loc> with scope subtree
# filter: (|(cn=admins)(cn=vpn))
# requesting: memberUid
#


dn: cn=admins,ou=Group,dc=users,dc=test,dc=loc
memberUid: username

dn: cn=vpn,ou=Group,dc=users,dc=test,dc=loc

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


# Here is the result of testplugin :

vpn:/usr/local/src/auth-ldap-2.0.3/src#
/usr/local/src/auth-ldap-2.0.3/src/testplugin /etc/openvpn/ldap.conf
Username: username
Password:
Authorization Failed!
No matching LDAP group found for user DN
"uid=username,ou=People,dc=users,dc=test,dc=loc", and group membership is
required.
client-connect failed!
No matching LDAP group found for user DN
"uid=username,ou=People,dc=users,dc=test,dc=loc", and group membership is
required.
client-disconnect failed!

#####
However, when I set RequireGroup to false in the configuration file, it
DOES WORK. that indicate the ldap and openvpn works just fine. However,
there is a problem with my configuration or a problem with the code itself.
I notice that the search result return 2 lines and that might be the
problem .. I do not know.
#####

Hello,

I'm trying to set up OpenVPN server which authenticates via certificate OR LDAP 
(not the both in the same time). I'm trying to archive this via using 
auth-user-pass-optional option in openvpn config.

As documentation says "When this option is used, and a connecting client does 
not submit a username/password, the user-defined authentication module/script 
will see the username and password as being set to empty strings (""). The 
authentication module/script MUST have logic to detect this condition and 
respond accordingly."

But as I can see in logs LDAP plugin tries to perform bind auth with empty 
username. And obviously it fails.

Could the plugin be adapted to cope with auth-user-pass-optional case?

I'm currently packaging openvpn-auth-ldap for Gentoo.
The install target fails due to missing intermediate directories since binaries 
are installed into a temporary directory before installing it into the live 
system.
Using -D in the install command fixes the problem (see attached patch).

What steps will reproduce the problem?
1. create config file with no new line after last line
2. run openvpn or testplugin
3. watch it bus error

What is the expected output? What do you see instead?
An error message indicating a configuration problem. Instead only a bus error.

What version of the product are you using? On what operating system?
2.0.3 on OS X 10.5.5

Please provide any additional information below.

GDB output:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
-[LFAuthLDAPConfig startSection:sectionName:] (self=0x100710, _cmd=0xc42c, 
sectionType=0x101600, name=0x0) at LFAuthLDAPConfig.m:531
531             switch (opcodeEntry->opcode) {

( Line numbers are slightly off because I added some debug code to my tree )

Reason for crash:
Without a new line, the parser is picking up /Authorization as a new config 
section. Calls to 
parse_opcode will then fail and return a null pointer, which is accessed in the 
switch statement 
further down.

Possible Resolution:
Check or opcodeEntry == NULL or throw an exception on NULL from method 
parse_opcode (TRConfigToken *token, OpcodeTable **tables) in LFAuthLDAPConfig.m

What steps will reproduce the problem?
1. Configuration: Use TLS, don't allow anonymous binds

This will cause the plugin to first perform the bind, then issue STARTTLS,
which will move the LDAP authorization status back to "anonymous" (see
http://tools.ietf.org/html/rfc4513#section-4). If you move the code in
auth-ldap.m, which performs the binding (calling bindWithDN) to the end of
connect_ldap() (just before "return ldap"), everything should work fine.

What version of the product are you using? On what operating system?

I'm using version 2.0.3 on a debian lenny.

What steps will reproduce the problem?
1. Freebsd 9.x or 10.x install
2. Install openvpn-auth-ldap package (version 2.0.3)
3. configure to use it in ldap.conf:
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/ldap.conf"

What is the expected output? What do you see instead?
Not staring openvpn, because in log (with verb 11):
Sun Jun 22 11:52:07 2014 us=259528 Current Parameter Settings:
Sun Jun 22 11:52:07 2014 us=260003   config = 
'/usr/local/etc/openvpn/openvpn.conf'
Sun Jun 22 11:52:07 2014 us=260023   mode = 1
Sun Jun 22 11:52:07 2014 us=260041   show_ciphers = DISABLED
Sun Jun 22 11:52:07 2014 us=260063   show_digests = DISABLED
Sun Jun 22 11:52:07 2014 us=260080   show_engines = DISABLED
Sun Jun 22 11:52:07 2014 us=260097   genkey = DISABLED
Sun Jun 22 11:52:07 2014 us=260114   key_pass_file = '[UNDEF]'
Sun Jun 22 11:52:07 2014 us=260130   show_tls_ciphers = DISABLED
Sun Jun 22 11:52:07 2014 us=260147 Connection profiles [default]:
Sun Jun 22 11:52:07 2014 us=260165   proto = udp
Sun Jun 22 11:52:07 2014 us=260182   local = '****hostnam***'
Sun Jun 22 11:52:07 2014 us=260198   local_port = 1194
Sun Jun 22 11:52:07 2014 us=260215   remote = '[UNDEF]'
Sun Jun 22 11:52:07 2014 us=260233   remote_port = 1194
Sun Jun 22 11:52:07 2014 us=260250   remote_float = DISABLED
Sun Jun 22 11:52:07 2014 us=260267   bind_defined = DISABLED
Sun Jun 22 11:52:07 2014 us=260284   bind_local = ENABLED
Sun Jun 22 11:52:07 2014 us=260300   connect_retry_seconds = 5
Sun Jun 22 11:52:07 2014 us=260317   connect_timeout = 10
Sun Jun 22 11:52:07 2014 us=260334 NOTE: --mute triggered...
Sun Jun 22 11:52:07 2014 us=260367 213 variation(s) on previous 20 message(s) 
suppressed by --mute
Sun Jun 22 11:52:07 2014 us=260385 OpenVPN 2.3.4 amd64-portbld-freebsd10.0 [SSL 
(OpenSSL)] [LZO] [MH] [IPv6] built on May 31 2014
Sun Jun 22 11:52:07 2014 us=260409 library versions: OpenSSL 1.0.1e-freebsd 11 
Feb 2013, LZO 2.06
Sun Jun 22 11:52:07 2014 us=260745 PLUGIN_INIT: POST 
/usr/local/lib/openvpn-auth-ldap.so '[/usr/local/lib/openvpn-auth-ldap.so] 
[/usr/local/etc/openvpn/ldap.conf]' 
intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_ROUTE_UP|PLUGIN_IPCHANGE|PLUGIN_TLS_VER
IFY|PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT|
PLUGIN_LEARN_ADDRESS|PLUGIN_CLIENT_CONNECT|PLUGIN_TLS_FINAL|PLUGIN_ENABLE_PF|PLU
GIN_ROUTE_PREDOWN
Sun Jun 22 11:52:07 2014 us=260766 PLUGIN_INIT: plugin initialization function 
failed: /usr/local/lib/openvpn-auth-ldap.so
Sun Jun 22 11:52:07 2014 us=260799 Exiting due to fatal error


What version of the product are you using? On what operating system?
Freebsd 9 or 10, openvpn-auth-ldap version 

Please provide any additional information below.
Earlier the same config on Freebsd 8 it worked, others see the same, like:
https://forums.freebsd.org/viewtopic.php?f=43&t=46922
http://lists.freebsd.org/pipermail/freebsd-bugs/2014-June/056360.html

Tried to create from source with gcc47 but that was worst:
Sun Jun 22 19:16:10 2014 us=463109 PLUGIN_INIT: could not load plugin shared 
object /usr/local/lib/openvpn-auth-ldap.so: 
/usr/local/lib/openvpn-auth-ldap.so: Undefined symbol "objc_msgSendSuper"
Sun Jun 22 19:16:10 2014 us=463596 Exiting due to fatal error

What steps will reproduce the problem?
1. Compile with gcc 4.7
2. Configure openvpn to use ldap auth
3. segfault on start

openvpn[1220]: segfault at 0 ip b704125f sp bfa9a150 error 4 in 
libobjc.so.4.0.0[b7034000+16000]

What version of the product are you using? On what operating system?

version 2.0.3
Fedora 17 32-bit but seen on others, see:

https://bugzilla.redhat.com/show_bug.cgi?id=870988
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641811
http://serverfault.com/questions/327294/openvpn-segmentation-fault

Hi, 

I have a problem with account with dot inside. From example when I try to check 
plugin configuration and put username: piotr everything works ok:

./testplugin /usr/local/etc/openvpn/auth/auth-ldap.conf
Username: piotr
Password: 
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!

, but when I put username with dot inside: piotr.xyz (user exist in LDAP and is 
member of vpnUsers) the plugin show: 

./testplugin /usr/local/etc/openvpn/auth/auth-ldap.conf
Username: piotr.xyz
Password:
LDAP user "piotr.xyz" was not found.
Authorization Failed!
LDAP user "piotr.xyz" was not found.
client-connect failed!
LDAP user "piotr.xyz" was not found.
client-disconnect failed!

My auth section config:

<Authorization>
        BaseDN          "cn=users,dc=bbb,dc=aaa"
        SearchFilter    "sAMAccountName=%u"
        RequireGroup    true
        <Group>
                BaseDN          "cn=users,dc=bbb,dc=aaa"
                SearchFilter    "cn=vpnUsers"
                MemberAttribute Member
        </Group>
</Authorization>

Anybody can help me? :)

What version of the product are you using? On what operating system?
OpenVPN on Ubuntu Hardy 32 bits with auth-ldap-2.0.3 installed from source.

Attached file is the tree of what I see from my LDAP browser on the AD
server for domain dc=XXX,dc=ZZZ. Basically I got 2 different branches with
their own set of users (ou=YYY,dc=XXX,dc=ZZZ and ou=AAA,dc=XXX,dc=ZZZ). I
want to give access to users of both trees.

When I point my configuration pointing to a specific branch
ou=YYY,dc=XXX,dc=ZZZ I can authenticate users within this branch:

# auth-ldap configuration
<LDAP>
 URL ldap://AD_IP
 BindDN "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ"
 Password pass
 FollowReferrals no
</LDAP>

<Authorization>
 BaseDN "OU=YYY,DC=XXX,DC=YYY"
 SearchFilter "sAMAccountName=%u"
 RequireGroup false
</Authorization>

Here is the tethereal output of the LDAP traffic when a user log in:
1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
2 LDAP bindResponse(1) success 
3 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree 
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
5 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
6 LDAP bindResponse(1) success 
7 LDAP bindRequest(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 8
simple 
9 LDAP bindResponse(2) success 
10 LDAP unbindRequest(3) 
11 LDAP unbindRequest(3) 
12 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
13 LDAP bindResponse(1) success 
14 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree 
15 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
16 LDAP unbindRequest(3) 

I wonder why it search a 2nd time after validated my OpenVPN client user...
but that's not my problem. This work.

My problem start when I change the basedn to point to the root of my AD
structure to be able to let users of 2 branches authenticate. In my
configuration I just change
 BaseDN "DC=XXX,DC=YYY"

and here is the tethereal output:

1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple 
2 LDAP bindResponse(1) success 
3 LDAP searchRequest(2) "DC=XXX,DC=ZZZ" wholeSubtree 
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 
5 LDAP bindRequest(4) "<ROOT>" simple 
6 LDAP bindResponse(4) success 
7 LDAP bindRequest(6) "<ROOT>" simple 
8 LDAP bindResponse(6) success 
9 LDAP bindRequest(8) "<ROOT>" simple 
10 LDAP bindResponse(8) success 
11 LDAP searchRequest(7) "CN=Configuration,DC=XXX,DC=ZZZ" wholeSubtree 
12 LDAP searchRequest(5) "DC=DomainDnsZones,DC=XXX,DC=ZZZ" wholeSubtree 
13 LDAP searchRequest(3) "DC=ForestDnsZones,DC=XXX,DC=ZZZ" wholeSubtree 
14 LDAP searchResDone(3) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
15 LDAP unbindRequest(9) 
16 LDAP searchResDone(7) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
17 LDAP searchResDone(5) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece) 
18 LDAP unbindRequest(10) 
19 LDAP unbindRequest(11) 
20 LDAP unbindRequest(12) 

At line 4, it definitely find my user. But on line 5 it also try to bind
<ROOT>, which is something I don't know...
And after that it try to search in sub branches Windows Active Directory
that require higher privilege. Once it knocked out somewhere it refused to
try to bind my user and validated my VPN user.

Should auth-ldap took the found object, ignore failed search and try to
authenticate to that user?

thank you

What steps will reproduce the problem?
1. Installing openvpn-auth-ldap from most distros installs version 2.0.3, which 
was built in 2008.


What is the expected output? What do you see instead?
Much development has happened since 2008, (including working ldaps and STARTTLS 
support) and it would be great to not have to compile to use the plugin.

Thanks!

What version of the product are you using? On what operating system?

openvpn-auth-ldap-2.0.3
openvpn-2.0.6
openldap-client-2.4.11
FreeBSD 7.0-RELEASE-p5

Please provide any additional information below.

In LDAP we are using the posixGroup schema, which lists group members by
username in the memberUid attribute on the group. It appears that
openvpn-auth-ldap is searching for members based on cn. It would be nice if
there were a way to configure what to look for in the attribute to confirm
group membership.

client+server version:
OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] 
[eurephia] built on Jul 12 2010

openvpn-auth-ldap version:
2.0.3-1 amd64 (Ubuntu Repository)

vpn server+client: Ubuntu 10.10 amd64 2.6.35
ldap server: win sbs2003 (active directory)

I enter my username "s9hi-2c-leutlor" on the client, but the server shows up 
"s9hi-2c-batsank" in the logfiles. "s9hi-2c-batsank" is an existing user, but 
definately the wrong one.

may be interesting:
It's a school's database, and "s9hi-2c-leutlor" is in the same class as 
"s9hi-2c-batsank", they both are in the group "sg9hi-2c" and "s9hi-2c-batsank" 
is the first entry of this group (alphabetical order).

What about that error? How can I fix it?

What steps will reproduce the problem?
1. Start OpenVPN Server
2. From openvpn client, execute with ./openvpn --config openvpn.conf
--auth-user-pass
3. Openvpn server die

What is the expected output? What do you see instead?
Successfully connected between openvpn client and server

What version of the product are you using? On what operating system?
openvpn 2.0.9, auth-ldap 2.0.3 , tried on Kubuntu 8.04 and Centos 5.2 ,
both also getting same error msg

Please provide any additional information below.
Tue Feb 10 15:32:20 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [EPOLL] built on
Dec 12 2008
Tue Feb 10 15:32:21 2009 TUN/TAP device tun0 opened
Tue Feb 10 15:32:21 2009 /sbin/ifconfig tun0 172.16.24.1 pointopoint
172.16.24.2 mtu 1500
Tue Feb 10 15:32:21 2009 GID set to nogroup
Tue Feb 10 15:32:21 2009 UID set to nobody
Tue Feb 10 15:32:21 2009 UDPv4 link local (bound): [undef]:1194
Tue Feb 10 15:32:21 2009 UDPv4 link remote: [undef]
Tue Feb 10 15:32:21 2009 Initialization Sequence Completed
Tue Feb 10 15:32:29 2009 60.50.53.28:59719 Re-using SSL/TLS context
openvpn: ../../../libraries/liblber/encode.c:288: ber_put_ostring:
Assertion `str != ((void *)0)' failed.
Aborted

What steps will reproduce the problem?
1. compile and install the plugin
2. configure it and start openvpn
3. connect
4. fail

LDAP bind failed immediately: Can't contact LDAP server ((unknown error code))
Unable to bind as cn=admin,dc=blubb,dc=bla
LDAP connect failed.
192.168.88.11:36659 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/local/lib/openvpn-auth-ldap.so
192.168.88.11:36659 TLS Auth Error: Auth Username/Password verification
failed for peer


What is the expected output? What do you see instead?

expected would be something like this:
"openvpn: running"

What version of the product are you using? On what operating system?
linux/gentoo
openvpn-2.1.0-r1
 auth-ldap-2.0.3.tar.gz
Please provide any additional information below.
./configure --with-openvpn=/usr/src/openvpn-2.1.0

without tls it is working

What steps will reproduce the problem?

Hi, are they any instructions on how to properly compile, make etc.. the file?
Thx.

I use centos 5 



 ./testplugin /etc/openvpn/servers/v2vpn03/auth-ldap.conf
Username:
Password:
testplugin: ../../../libraries/liblber/encode.c:288: ber_put_ostring:
Assertion `str != ((void *)0)' failed.
Aborted

Hi! 

i've add cert and key to my clients, the LDAP auth works very well, but when 
revoke a client, the LDAP auth works again.

It's posible? Mix this scenario, client cert/key and LDAP auth?

Tkanks

What steps will reproduce the problem?
1. use auth-ldap with AD
2. take down the AD server
3. try to authenticate

What is the expected output? What do you see instead?
should retry, or fail to authenticate, instead openvpn crashes

What version of the product are you using? On what operating system?
Slackware-10, OpenVPN 2.0.9, authldap 2.0.3

Please provide any additional information below.

from the log :
Thu Nov  8 19:09:16 2007 us=812760 TLS Error: incoming packet 
authentication failed from xx.xx.xx.xx:28277
openvpn: sasl.c:262: ldap_parse_sasl_bind_result: Assertion `res != ((void 
*)0)' failed.

What steps will reproduce the problem?
1. stop the ldap server for a while
2. watch the reconnects of existing connections fail
3. wait until you see a line "TLS Error: local/remote TLS keys are out of sync"
4. the clients exit because of "wrong username/password" and thus are unable to 
retry

What is the expected output? What do you see instead?
i would expect the openvpn-ldap module to give a different status (if possible) 
to the openvpn server so that the client doesn't think that it has a wrong 
username and doesn't need to retry... (even with retry infinite)

What version of the product are you using? On what operating system?
deb6 amd64 openvpn-2.2.1-8+deb7u2  openvpn-auth-ldap-2.0.3-5.1

is there a workaround i can use to not have this issue?

What steps will reproduce the problem?
1. Install openvpn 2.0.9
2. Install auth-ldap 2.0.3
3. Start openvpn with auth-ldap plugin. Pointing to auth-ldap.conf

What is the expected output? What do you see instead?
I expect to see the daemon running.

But I see...

Segmentation fault (core dumped)

What version of the product are you using? On what operating system?

2.0.3 on Mandrake 9.1 (Old i know, but everything compiled OK.)

Please provide any additional information below.

When i un-comment the line below openvpn loads.
# plugin /opt/auth-ldap/lib/openvpn-auth-ldap.so
/opt/auth-ldap/etc/auth-ldap.conf

I also tried it with a trailing cn=%u

My auth-ldap.conf

<LDAP
        URL         ldap://10.0.0.1
        BindDN      CN=tom,CN=Users,DC=pulla,DC=local
        Password    mypassword
        Timeout     15
        TLSEnable   no
</LDAP

<Authorization
        BaseDN          "DC=pulla,DC=local"
        SearchFilter    "(cn=%u)"
        RequireGroup    false
</Authorization

I turned openvpn verb to 11 but i cant see anything strange it just dies.

What steps will reproduce the problem?
1. Trying to enter multiple LDAP servers in the configuration for redundancy 
finishes with error message

What is the expected output? What do you see instead?
Must be possible to enter multiple LDAP servers, either with multiple URL 
directive, or with single directive and addresses separated by spaces
EXAMPLE:
URL ldap://ldap1.xxx.com
URL ldap://ldap2.xxx.com

OR

URL ldap://ldap1.xxx.com ldap://ldap2.xxx.com

What version of the product are you using? On what operating system?
2.0.3 on Ubuntu 10.04 from original repository

I use Zimbra [1] as a groupware solution and it has an ldap server
(currently openldap 2.3.42) for authentication services. I'm trying to
compile openvpn-auth-ldap on a x64 ubuntu 8.04 server so vpn users can use
the same auth information, however configure fails with the following error:

checking how to run the Objective C preprocessor... /lib/cpp
configure: error: Objective C preprocessor "/lib/cpp" fails sanity check

All references to this error on google lead to installing build-essential
as the solution, however I have it installed and still have the error.
Also, configuring/compiling other software from source works.

What steps will reproduce the problem?
1. ./configure --with-openldap=/opt/zimbra/openldap
--with-openvpn=/usr/include/openvpn

What is the expected output? What do you see instead?
Configure should finish cleanly. However it spits out an error about the
Objective C preprocessor.

What version of the product are you using? On what operating system?
2.0.3 on x64 ubuntu 8.04.

Please provide any additional information below.
Attached are configure output and config.log.

[1] http://www.zimbra.com

hi,

I am running suse linux enterprise 11 and have installed openvpn and openldap

command:
# ./configure  --with-openvpn=/tmp/openvpn-2.2.2/

I see the foollowing on myscreen:
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for gcc... gcc
checking whether we are using the GNU Objective C compiler... yes
checking whether gcc accepts -x objective-c... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking whether make sets $(MAKE)... yes
checking for re2c... /usr/bin/re2c
checking for doxygen... no
checking for dot... no
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for the pthreads library -lpthreads... no
checking whether pthreads work without any flags... no
checking whether pthreads work with -Kthread... no
checking whether pthreads work with -kthread... no
checking for the pthreads library -llthread... no
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... no
checking for BSD pf(4) support... no
configure: WARNING: pf(4) table support will not be included.
checking for strlcpy... no
checking for openldap... yes
checking for check unit test library... no
configure: WARNING: Check library not found. Unit tests will not be built or 
run.
checking for openvpn-plugin.h... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking how to run the Objective C preprocessor... gcc -E
checking objc/objc.h usability... yes
checking objc/objc.h presence... yes
checking for objc/objc.h... yes
checking if linking libobjc requires pthreads... no
checking for Apple Objective-C runtime... no
checking for GNU Objective C runtime... yes
configure: Using GNU Objective-C runtime
configure: creating ./config.status
config.status: creating Makefile
config.status: creating tools/Makefile
config.status: creating src/Makefile
config.status: creating tests/Makefile
config.status: creating Mk/autoconf.mk
config.status: WARNING:  Mk/autoconf.mk.in seems to ignore the --datarootdir 
setting
config.status: creating Mk/compile.mk
config.status: creating Mk/subdir.mk
config.status: creating doxyfile
config.status: creating config.h
config.status: config.h is unchanged


WHen looking in the config.log I see this error:
conftest.c:8:28: error: ac_nonexistent.h: No such file or directory

seems the command is not completing, because I miss this file:
openvpn-auth-ldap.so

how can I troubleshoot this?

What steps will reproduce the problem?
1. compile the plugin with ./configure --with-openvpn=/home/tmp/openvpn-2.2.2
2. Launch OpenVPN (>service openvpn start)
3.

What is the expected output? What do you see instead?
> service openvpn start indicate error
Error at openvpn log file
Wed Apr 29 14:14:58 2015 event_wait : Interrupted system call (code=4)
Wed Apr 29 14:14:58 2015 /sbin/route del -net 172.16.26.0 netmask 255.255.255.0
Wed Apr 29 14:14:58 2015 Closing TUN/TAP interface
Wed Apr 29 14:14:58 2015 /sbin/ifconfig tun0 0.0.0.0
Wed Apr 29 14:14:58 2015 PLUGIN_CLOSE: /usr/local/lib/openvpn-auth-ldap.so
Wed Apr 29 14:14:58 2015 SIGTERM[hard,] received, process exiting
Wed Apr 29 14:15:00 2015 OpenVPN 2.3.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] 
[LZO] [EPOLL] [MH] [IPv6] built on Apr 28 2015
Wed Apr 29 14:15:00 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 
2.03
Wed Apr 29 14:15:00 2015 PLUGIN_INIT: POST /usr/local/lib/openvpn-auth-ldap.so 
'[/usr/local/lib/openvpn-auth-ldap.so] [/etc/openvpn/ldap.conf]' 
intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIE

What version of the product are you using? On what operating system?
auth-ldap-2.0.3
CentOS 6.6
Linux VPN 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 
x86_64 x86_64 GNU/Linux

Please provide any additional information below.
.\configure at auth-ldap-2.0.3 eat any path for --with-openldap and 
--with-openvpn. Make pass without errors, and i can't be sure thet paths are 
correct.

Hi,

im currently running debian wheezy with openvpn-auth-ldap 2.0.3-5.1.

when a users chooses a password with äöü inside, authentication to vpn 
always fails.
its working with most other systems accessing Active Directory, so i guess ist 
some encoding problem.

greetings

Christian

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. configure
2. make -j4 

What is the expected output? What do you see instead?

I'd expect that the build waits until TRConfigParser.h is generated before 
using it. Instead, I see it is built in parallel with using it.

The Makefile.in needs to have some dependencies added so that operations are 
properly serialized and the lemon/makeheaders are run before the resulting 
.h/.m files are used.

What version of the product are you using? On what operating system?

svn version 1379 on FreeBSD 10.1

Is it possible to configure openvpn-auth-ldap to not use the LDAP password?
 Currently, I have PAM authentication configured, which allows me to tap
into our RSA two factor authentication system.  I'd like to use the LDAP
plugin only as user authorization, and the PAM/RSA 2-factor as the user
authentication.

What steps will reproduce the problem?
the plugin's configuration is:

<LDAP>
        URL             ldap://xxxxx
        BindDN           uid=xxxxx,dc=xxx,dc=xxx
        Password         xxxxxxx
        Timeout         15
        TLSEnable       no
        FollowReferrals no
        TLSCACertFile   /usr/local/etc/ssl/ca.pem
        TLSCACertDir    /etc/ssl/certs
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
        BaseDN          "ou=xxx,dc=xxx,dc=xxx"
        SearchFilter    "(&(uid=%u)(accountStatus=active))"
        RequireGroup    false
        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

I am sure that all values are correct, because using an equivalent ldapsearch 
command, ldap server responds with the correct entry.

What is the expected output? What do you see instead?
the expected should be a login success message. But the following log comes 
("LDAP search failed: No such object" and then "No remote address supplied to 
OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."):

Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 TLS: Initial packet from 
[AF_INET]xx.xx.xx.xx:1194, sid=466b3052 a5fc388e
LDAP search failed: No such object
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=0
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 TLS: Username/Password authentication 
succeeded for username 'username' 
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Encrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Encrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Decrypt: Cipher 'BF-CBC' 
initialized with 128 bit key
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Decrypt: Using 160 bit 
message hash 'SHA1' for HMAC authentication
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Control Channel: TLSv1, cipher 
TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 [] Peer Connection Initiated with 
[AF_INET]xx.xx.xx.xx:1194
No remote address supplied to OpenVPN LDAP Plugin 
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=1
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function 
PLUGIN_CLIENT_CONNECT failed with status 1: 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 WARNING: client-connect plugin call 
failed

What version of the product are you using? On what operating system?
Using openvpn-auth-ldap 2.0.3-6 with openvpn.i686 2.3.2-2, installed on 
CentOS-6 from the epel repository.

Please provide any additional information below.
when providing wrong user password or no-existing user (in this example - 
"asdf"), plugin outputs correctly ... which shows that there is no bind or 
wrong attribute problem and ldap responds correctly !!!

Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 TLS: Initial packet from 
[AF_INET]xx.xx.xx.xx:1194, sid=17665875 67640a48
LDAP bind failed: Invalid credentials
Incorrect password supplied for LDAP DN "uid=username,ou=xxx,dc=xxx,dc=xxx".
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=1
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function 
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 TLS Auth Error: Auth 
Username/Password verification failed for peer
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 Control Channel: TLSv1, cipher 
TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 Peer Connection Initiated with 
[AF_INET]xx.xx.xx.xx:1194
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 PUSH: Received control message: 
'PUSH_REQUEST'
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 Delayed exit in 5 seconds
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED' 
(status=1)
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 SIGTERM[soft,delayed-exit] received, 
client-instance exiting
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 TLS: Initial packet from 
[AF_INET]xx.xx.xx.xx:1194, sid=06097dc3 01f59e32
LDAP user "asdf" was not found.
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST 
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY 
status=1
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function 
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: 
usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 TLS Auth Error: Auth 
Username/Password verification failed for peer

please correct any mistakes in the config file or suggest any solution
thank you