x-itec / openvpn-auth-ldap Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/openvpn-auth-ldap
License: Other
Automatically exported from code.google.com/p/openvpn-auth-ldap
License: Other
INTRODUCTION The openvpn-auth-ldap plugin implements username/password authentication via LDAP. You may send patches, bug reports, and complaints to: [email protected] REQUIREMENTS * OpenLDAP Headers & Library * GNU Objective-C Compiler * OpenVPN Plugin Header (included with the OpenVPN sources) * re2c (http://www.re2c.org) BUILD To build, you will need to configure the sources appropriately. Example: ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2 The module will be build in src/openvpn-auth-ldap.so and installed as ${prefix}/lib/openvpn-auth-ldap.so. USAGE Add the following to your OpenVPN configuration file (adjusting the plugin path as required): plugin /usr/local/lib/openvpn-auth-ldap.so "<config>" The config directive must point to an auth-ldap configuration file. An example is provided with the distribution. CAVEATS This plugin only works with the OpenLDAP libraries.
What steps will reproduce the problem?
1. Build auth-ldap from r1379 SVN and against openvpn 2.3.6, with patches from
Issue #43.
2. run tests/tests
What is the expected output? What do you see instead?
Self-tests should pass. Instead, these are failures:
[mandree@apollo ~/VCS-other/openvpn-auth-ldap.svn]$ tests/tests 2>&1 | grep
failed
Test case -[TRLDAPAccountRepositoryTests test_initWithLDAPConnection]
(TRLDAPAccountRepositoryTests.m:57) failed with error: 'config ==
((id)((void*)0))' should be false. Legacy assertion 'config == nil' failed
Test case -[TRAuthLDAPConfigTests test_initWithConfigFile]
(TRAuthLDAPConfigTests.m:60) failed with error: 'config == ((void *)0)' should
be false. Legacy assertion 'config == NULL' failed
Test case -[TRAuthLDAPConfigTests test_initWithMissingTrailingNewline]
(TRAuthLDAPConfigTests.m:122) failed with error: 'config == ((void *)0)' should
be false. Legacy assertion 'config == NULL' failed
Test case -[TRLDAPConnectionTests testInit] (TRLDAPConnectionTests.m:62) failed
with error: 'config == ((void *)0)' should be false. Legacy assertion 'config
== NULL' failed
Test case -[TRConfigLexerTests testParse] (TRConfigLexerTests.m:65) failed with
error: 'configFD == -1' should be false. Legacy assertion 'configFD == -1'
failed
Test case -[TRConfigTests testInitWithFD] (TRConfigTests.m:94) failed with
error: 'configFD == -1' should be false. Legacy assertion 'configFD == -1'
failed
What version of the product are you using? On what operating system?
SVN r1379 on FreeBSD 9.3-RELEASE, amd64, with libobjc2 (which is a new
GNU-compatible and clang-compatible ObjC runtime) and openldap-client-2.4.40_1
Original issue reported on code.google.com by [email protected]
on 5 Jan 2015 at 11:36
Trying to bind to company ldap with this kind of ldap.conf:
<LDAP>
URL ldap://ldap.example.com:389
BindDN cn=Company DirManager,dc=example,dc=com
Password password
Timeout 15
TLSEnable no
FollowReferrals no
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertDir /etc/ssl/certs
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
BaseDN dc=example,dc=com
SearchFilter "(&(sAMAccountName=%u))"
RequireGroup false
</Authorization>
openvpn-auth-ldap fails to bind to ldap and gives error message:
"A parse error occured while attempting to comprehend DirManager, on line 3"
Operating system is Ubuntu 12.04 LTS server and OpenVPN version: 2.2.1.
Original issue reported on code.google.com by [email protected]
on 25 Apr 2014 at 3:52
Hi,
This is syslog error I get during OpenVPN start:
ovpn-ldap[5643]: Options error: Unrecognized option or missing parameter(s) in
/etc/openvpn/ldap.conf:1: LDAP (2.2.1)
On a first line of /etc/openvpn/ldap.conf contains <LDAP>
If I turn the plugin off - everything works fine.
Environment :
openvpn: 2.2.1-8+deb7u2
openvpn-auth-ldap: 2.0.3-5.1
OS : Debian 7.7
Plugin was installed using common installer - "aptitude install
openvpn-auth-ldap" and "aptitude install openvpn"
Original issue reported on code.google.com by [email protected]
on 29 Oct 2014 at 5:39
What steps will reproduce the problem?
testplugin /etc/openvpn/rusers.auth
Username: shin.andrey
Password:
Authorization Failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-connect failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-disconnect failed!
What is the expected output? What do you see instead?
I see that the authorization was successful, but getting that fail
What version of the product are you using? On what operating system?
OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 20 2008
auth-ldap-2.0.3
DISTRIB_DESCRIPTION="Ubuntu 8.04"
Linux dir 2.6.24-16-server
Please provide any additional information below.
<LDAP>
URL ldap://dir
BindDN cn=admin,dc=XXX,dc=local
Password pass
Timeout 15
</LDAP>
<Authorization>
BaseDN "dc=XXX,dc=local"
SearchFilter "(&(objectClass=posixAccount)(cn=%u))"
RequireGroup true
<Group>
BaseDN "ou=groups,dc=XXX,dc=local"
SearchFilter "(cn=Jabber)"
MemberAttribute memberUid
</Group>
</Authorization>
ldapsearch -x -b "ou=groups,dc=XXX,dc=local" -D "cn=admin,dc=XXX,dc=local"
-W "(&(cn=Jabber)(memberUid=shin.andrey))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=XXX,dc=local> with scope subtree
# filter: (&(cn=Jabber)(memberUid=shin.andrey))
# requesting: ALL
#
# Jabber, groups, XXX.local
dn: cn=Jabber,ou=groups,dc=XXX,dc=local
objectClass: posixGroup
objectClass: top
cn: Jabber
gidNumber: 1006
memberUid: shin.andrey
Original issue reported on code.google.com by [email protected]
on 6 Dec 2008 at 9:34
What steps will reproduce the problem?
1. If I try to run /testplugin /etc/openvpn/ldapconf/auth-ldap.conf, using the
URL ldap://192.168.3.25 config, it works
2. If i run it with URL ldaps://192.168.3.25, it doesn't work
192.168.3.25 is a domain controller with ldap and ldaps ports open. We have
servers that authenticate against this host using ldaps.
What is the expected output? What do you see instead?
When using LDAP:
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
LDAP bind failed immediately: Can't contact LDAP server ((unknown error code))
Unable to bind as [email protected]
LDAP connect failed.
Authorization Failed!
What version of the product are you using? On what operating system?
I'm using auth-ldap-2.0.3 on Ubuntu 10.10 server
Please provide any additional information below.
#auth-ldap.conf
<LDAP>
# LDAP server URL
URL ldaps://192.168.3.25
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN [email protected]
# Bind Password
# Password SecretPassword
Password SomePassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
#TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN OU=SBSUsers,OU=Users,OU=MyBusiness,DC=XXX,DC=YYY
# User Search Filter
SearchFilter "(SAMAccountName=%u)"
# Require Group Membership
RequireGroup false
Original issue reported on code.google.com by [email protected]
on 16 May 2012 at 10:26
What steps will reproduce the problem?
1. Configure openldap-auth-ldap to connect to an LDAP server with TLS enabled
2. Connect to openvpn
3. Run tcpdump -A -s 0 -n -i br0 port 389 on the ldap server
You will see that that the bind-DN and password are transmitted in cleartext.
What is the expected output? What do you see instead?
The plugin sends the bind-DN and password in cleartext. The plugin should not
bind to a TLS-enabled LDAP server until STARTTLS is issued.
What version of the product are you using? On what operating system?
2.0.3 on Debian squeeze
Please provide any additional information below.
This bug is listed on the Debian bug tracker, and someone has posted a patch
that fixes the problem: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610339
Original issue reported on code.google.com by [email protected]
on 30 Sep 2011 at 11:16
What steps will reproduce the problem?
1. create a configuration file that lacks the trailing EOL character (LF)
2. src/testplugin this-testconfigfile-without-LF
3. see assert() abort the code with:
Assertion failed: (_limit - _cursor >= 0), function -[TRConfigLexer fill:],
file TRConfigLexer.re, line 117.
Reference to FreeBSD bugtracker:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190497
What is the expected output? What do you see instead?
The expected output is that the configuration is parsed properly.
What version of the product are you using? On what operating system?
SVN r1379, FreeBSD 9.3/10.1.
Please provide any additional information below.
The attached patch fixes this problem by simplifying EOI detection and making
it robust (rather than relying on the sentinel character).
Note that TRLocalPacketFilter.m requires two #import statements:
#import "TRLog.h"
#import "xmalloc.h"
Original issue reported on code.google.com by [email protected]
on 19 Jan 2015 at 8:44
Attachments:
What steps will reproduce the problem?
1. ./configure --prefix=/usr/local --with-openldap=/usr/local --with-
openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2
What is the expected output? What do you see instead?
configure: error: Could not locate a working OpenLDAP library installation. Try
--with-
openldap=
See `config.log' for more details.
What version of the product are you using? On what operating system?
auth-ldap configure 2.0 Ubuntu Server
Please provide any additional information below.
Here's my config.log:
this file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by auth-ldap configure 2.0, which was
generated by GNU Autoconf 2.60. Invocation command line was
$ ./configure --prefix=/usr/local --with-openldap=/usr/local --with-
openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2
## --------- ##
## Platform. ##
## --------- ##
hostname = ldapsrv1.csaa.local
uname -m = i686
uname -r = 2.6.24-23-server
uname -s = Linux
uname -v = #1 SMP Thu Nov 27 19:19:15 UTC 2008
/usr/bin/uname -p = unknown
/bin/uname -X = unknown
/bin/arch = unknown
/usr/bin/arch -k = unknown
/usr/convex/getsysinfo = unknown
/usr/bin/hostinfo = unknown
/bin/machine = unknown
/usr/bin/oslevel = unknown
/bin/universe = unknown
PATH: /usr/local/sbin
PATH: /usr/local/bin
PATH: /usr/sbin
PATH: /usr/bin
PATH: /sbin
PATH: /bin
PATH: /usr/games
## ----------- ##
## Core tests. ##
## ----------- ##
configure:1781: checking build system type
configure:1799: result: i686-pc-linux-gnu
configure:1821: checking host system type
configure:1836: result: i686-pc-linux-gnu
configure:1858: checking target system type
configure:1873: result: i686-pc-linux-gnu
configure:1951: checking for gcc
"config.log" 688L, 22406C
configure:2426: result:
configure:2432: checking for suffix of object files
configure:2458: gcc -c conftest.c >&5
configure:2461: $? = 0
configure:2484: result: o
configure:2488: checking whether we are using the GNU C compiler
configure:2517: gcc -c conftest.c >&5
configure:2523: $? = 0
configure:2530: test -z "$ac_c_werror_flag" || test ! -s conftest.err
configure:2533: $? = 0
configure:2540: test -s conftest.o
configure:2543: $? = 0
configure:2557: result: yes
configure:2562: checking whether gcc accepts -g
configure:2592: gcc -c -g conftest.c >&5
configure:2598: $? = 0
configure:2605: test -z "$ac_c_werror_flag" || test ! -s conftest.err
configure:2608: $? = 0
configure:2615: test -s conftest.o
configure:2618: $? = 0
configure:2748: result: yes
configure:2765: checking for gcc option to accept ISO C89
configure:2839: gcc -c -g -O2 conftest.c >&5
configure:2845: $? = 0
configure:2852: test -z "$ac_c_werror_flag" || test ! -s conftest.err
configure:2855: $? = 0
configure:2862: test -s conftest.o
configure:2865: $? = 0
configure:2885: result: none needed
configure:2957: checking for gcc
configure:2973: found /usr/bin/gcc
configure:2984: result: gcc
configure:3014: checking for Objective C compiler version
configure:3017: gcc --version </dev/null >&5
gcc (GCC) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
Copyright (C) 2007 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
configure:3020: $? = 0
configure:3022: gcc -v </dev/null >&5
Using built-in specs.
Target: i486-linux-gnu
Configured with: ../src/configure -v
--enable-languages=c,c++,fortran,objc,obj-c++,treelang
--prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-
included-gettext --enable-threads=posix --enable-nls --with-gxx-include-
dir=/usr/include/c++/4.2 --program-suffix=-4.2 --enable-clocale=gnu
--enable-libstdcxx-
debug --enable-objc-gc --enable-mpfr --enable-targets=all
--enable-checking=release --
build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu
Thread model: posix
gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
configure:3025: $? = 0
configure:3027: gcc -V </dev/null >&5
gcc: '-V' option must have argument
configure:3030: $? = 1
configure:3033: checking whether we are using the GNU Objective C compiler
configure:3062: gcc -c conftest.m >&5
gcc: error trying to exec 'cc1obj': execvp: No such file or directory
configure:3068: $? = 1
configure: failed program was:
| /* confdefs.h. */
| #define PACKAGE_NAME "auth-ldap"
| #define PACKAGE_TARNAME "auth-ldap"
| #define PACKAGE_VERSION "2.0"
| #define PACKAGE_STRING "auth-ldap 2.0"
| #define PACKAGE_BUGREPORT "[email protected]"
| /* end confdefs.h. */
|
| int
| main ()
| {
| #ifndef __GNUC__
| choke me
| #endif
|
| ;
| return 0;
| }
configure:3102: result: no
configure:3108: checking whether gcc accepts -x objective-c
configure:3134: gcc -c -x objective-c conftest.m >&5
gcc: error trying to exec 'cc1obj': execvp: No such file or directory
configure:3140: $? = 1
configure: failed program was:
| /* confdefs.h. */
| #define PACKAGE_NAME "auth-ldap"
| #define PACKAGE_TARNAME "auth-ldap"
| #define PACKAGE_VERSION "2.0"
| #define PACKAGE_STRING "auth-ldap 2.0"
| #define PACKAGE_BUGREPORT "[email protected]"
| /* end confdefs.h. */
|
| int
| main ()
| {
|
| ;
| return 0;
Original issue reported on code.google.com by [email protected]
on 16 Oct 2009 at 4:10
What steps will reproduce the problem?
1. Setup openldap server that has just ldaps:/ access
2. Set options TLSCACertFile to point to the CA root certificate
3. openvpn-auth-ldap will not be able to connect to the ldap server
because it will do a bind before setting the TLS parameters.
What is the expected output? What do you see instead?
Anyways I guess it is better to set up the TLS transport and do the bind
afterwards. The other issue is that the option TLSEnable should be called
TLSstart or something. URL ldaps:// together with the option TLSEnable
will report an error.
What version of the product are you using? On what operating system?
OS: FreeBSD 7.0, openvpn-auth-ldap: 2.0.3
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 27 Aug 2008 at 5:31
Attachments:
[deleted issue]
What steps will reproduce the problem?
Try to build SVN checkout from trunk r1379 on FreeBSD
What is the expected output? What do you see instead?
Expected: build
Result: build errors about undefined TRLog* symbols or va_list symbols, or
building tests/tests, about undefined linker symbols.
The three attached patches fix the problem, and the src/* patches seem obvious
enough.
NOTE the patch-tests_Makefile.in adding -lcheck to LIBS in tests/Makefile.in is
a crude hack and should be replaced by the older @CHECK_LIBS@ code that used to
be in release 2.0.3 but has been removed post release, or by other decent code.
Original issue reported on code.google.com by [email protected]
on 5 Jan 2015 at 11:31
Attachments:
I have observed some strange behavior with pfsense+openvpn & ldap
authentication.
Setup
-------
- My setup has pfsense 1.2.3 (& openvpn bundled with it) & OpenDS 2.2 as ldap
provider.
- In ldap, I have base DN as "dc=baseorg,dc=com".
- There are two sub domains - "dc=orgone,dc=baseorg,dc=com",
"dc=orgtwo,dc=baseorg,dc=com".
- Theres a user in each subdomain called "testuser".
- BaseDN in authorization section of the config is set to "dc=baseorg,dc=com".
- RequireGroup is set to false
Behavior - 1
---------------
Test: If I try to authenticate with [email protected]
Expected Behavior - Ideally auth should fail as the user belongs to one of the
sub-domain.
Actual Behavior - User gets authenticated successfully.
Question - Is this an expected behavior?
Behavior - 2
---------------
Test: If I try to authenticate with junk values [email protected]
Expected Behavior - Ideally auth should fail with an error message for
incorrect username or domain.
Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP
DN "cn=testuser,dc=orgtwo,dc=baseorg,dc=com".
Question - How come "cn=testuser,dc=orgtwo,dc=baseorg,dc=com" is referred when
the values are junk?
Original issue reported on code.google.com by [email protected]
on 26 Nov 2010 at 5:15
Hello,
how can I configure this plugin, when I have multiple OUs with Users.
->OU1
-->OU2
-->OU3
--->OU4
->OU5
I´ve created a group named "VPN-Users", where the Users were into. How did I
configure the conf file?
Thanks in advanced.
Nico
Original issue reported on code.google.com by [email protected]
on 15 Aug 2011 at 2:38
I have debian i installed openvpn from sources.
I am installing ldap plugin and i have this problem:
0.9ter:/usr/share/openvpn/auth-ldap-2.0.3# ./configure --with-openvpn
openvpn-2.0
configure: WARNING: you should use --build, --host, --target
checking build system type... Invalid configuration `openvpn-2.0.9':
machine `openvpn' not recognized
configure: error: /bin/sh ./config.sub openvpn-2.0.9 failed
Original issue reported on code.google.com by [email protected]
on 16 Jun 2008 at 4:17
What version of the product are you using? On what operating system?
FreeBSD 8.0
openldap 2.4.21
openvpn 2.1.1
openvpn-auth-ldap-2.0.3
Please provide any additional information below.
I am unable to get openvpn to authenticate against an OpenLDAP server that
does not allow anonymous binds to search for uids. Below are logs from an
auth via lighttpd and from openvpn.
You can see that lighttpd binds using its service account, checks the
account object exists, and then attempts a bind using the discovered DN
for the user.
Openvpn-auth-ldap however appears to bind using the service account and
then to rebind as anonymous: AUTHZ anonymous. This then means it cannot
find the user that is connecting and so it fails.
Lighttpd
========
slapd[80287]: conn=1003 fd=13 ACCEPT from IP=10.0.9.2:58061
(IP=10.0.9.2:389)
slapd[80287]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[80287]: conn=1003 op=0 STARTTLS
slapd[80287]: conn=1003 op=0 RESULT oid= err=0 text=
slapd[80287]: conn=1003 fd=13 TLS established tls_ssf=256 ssf=256
slapd[80287]: conn=1003 op=1 BIND
dn="uid=lighttpd,ou=services,dc=tector,dc=org,dc=uk" method=128
slapd[80287]: conn=1003 op=1 BIND
dn="uid=lighttpd,ou=services,dc=tector,dc=org,dc=uk" mech=SIMPLE ssf=0
slapd[80287]: conn=1003 op=1 RESULT tag=97 err=0 text=
slapd[80287]: conn=1003 op=2 SRCH base="ou=users,dc=tector,dc=org,dc=uk"
scope=2 deref=0 filter="(uid=richard)"
slapd[80287]: conn=1003 op=2 SRCH attr=1.1
slapd[80287]: conn=1003 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[80287]: conn=1004 fd=16 ACCEPT from IP=10.0.9.2:13430
(IP=10.0.9.2:389)
slapd[80287]: conn=1004 op=0 EXT oid=1.3.6.1.4.1.1466.20037
slapd[80287]: conn=1004 op=0 STARTTLS
slapd[80287]: conn=1004 op=0 RESULT oid= err=0 text=
slapd[80287]: conn=1004 fd=16 TLS established tls_ssf=256 ssf=256
slapd[80287]: conn=1004 op=1 BIND
dn="uid=richard,ou=users,dc=tector,dc=org,dc=uk" method=128
slapd[80287]: conn=1004 op=1 BIND
dn="uid=richard,ou=users,dc=tector,dc=org,dc=uk" mech=SIMPLE ssf=0
slapd[80287]: conn=1004 op=1 RESULT tag=97 err=0 text=
slapd[80287]: conn=1004 op=2 UNBIND
slapd[80287]: conn=1004 fd=16 closed
Openvpn-auth-ldap
=================
slapd[80287]: conn=1045 fd=13 ACCEPT from IP=10.0.9.2:43556
(IP=10.0.9.2:389)
slapd[80287]: conn=1045 op=0 BIND
dn="uid=openvpn,ou=services,dc=tector,dc=org,dc=uk" method=128
slapd[80287]: conn=1045 op=0 BIND
dn="uid=openvpn,ou=services,dc=tector,dc=org,dc=uk" mech=SIMPLE ssf=0
slapd[80287]: conn=1045 op=0 RESULT tag=97 err=0 text=
slapd[80287]: conn=1045 op=1 EXT oid=1.3.6.1.4.1.1466.20037
slapd[80287]: conn=1045 op=1 STARTTLS
slapd[80287]: conn=1045 op=1 AUTHZ anonymous mech=starttls ssf=0
slapd[80287]: conn=1045 op=1 RESULT oid= err=0 text=
slapd[80287]: conn=1045 fd=13 TLS established tls_ssf=256 ssf=256
slapd[80287]: conn=1045 op=2 SRCH base="ou=users,dc=tector,dc=org,dc=uk"
scope=2 deref=0 filter="(uid=richard)"
slapd[80287]: conn=1045 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[80287]: conn=1045 op=3 UNBIND
slapd[80287]: conn=1045 fd=13 closed
Original issue reported on code.google.com by [email protected]
on 29 Mar 2010 at 12:51
Hello to all.
We have an AD with diferent OU's
For example :
IT
Finance
inside this OU's are users, is the plugin able to search recursive at
thouse OU's ?
BR
Original issue reported on code.google.com by [email protected]
on 5 Nov 2009 at 11:41
What steps will reproduce the problem?
1. configured the openvpn
2. configured the openldap
3. struck with integrating this two with open-auth-ldap.conf
not sure how to proceed?
What is the expected output? What do you see instead?
as such no output
What version of the product are you using? On what operating system?
ubuntu 8.04 LTs Server
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 21 Aug 2009 at 1:48
What steps will reproduce the problem?
1. at my windows client, right click on client.ovpn
2. start openvpn on this config file
3. insert user and pass
What is the expected output? What do you see instead?
I see: No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Instead of: Connected.
What version of the product are you using? On what operating system?
openvpn 2.0.9 and auth-ldap-2.0.3 in FreeBSD 6.2
Please provide any additional information below.
When i try to connect with my openvpn windows client i get this on my log
of openvpn server:
Fri Aug 22 05:33:46 2008 us=707255 MULTI: multi_create_instance called
Fri Aug 22 05:33:46 2008 us=707378 172.16.0.12:4901 Re-using SSL/TLS context
Fri Aug 22 05:33:46 2008 us=707629 172.16.0.12:4901 Control Channel MTU
parms [ L:1577 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707678 172.16.0.12:4901 Data Channel MTU parms
[ L:1577 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707771 172.16.0.12:4901 Fragmentation MTU parms
[ L:1577 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Fri Aug 22 05:33:46 2008 us=707863 172.16.0.12:4901 Local Options String:
'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto UDPv4,mtu-dynamic,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Aug 22 05:33:46 2008 us=707957 172.16.0.12:4901 Expected Remote Options
String: 'V4,dev-type tap,link-mtu 1577,tun-mtu 1532,proto
UDPv4,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Aug 22 05:33:46 2008 us=708019 172.16.0.12:4901 Local Options hash
(VER=V4): '002d8bc3'
Fri Aug 22 05:33:46 2008 us=708116 172.16.0.12:4901 Expected Remote Options
hash (VER=V4): 'cb29316b'
Fri Aug 22 05:33:46 2008 us=708214 172.16.0.12:4901 TLS: Initial packet
from 172.16.0.12:4901, sid=84f43e9e dccd5cf2
Fri Aug 22 05:33:46 2008 us=788470 172.16.0.12:4901 VERIFY OK: depth=1,
/C=PT/ST=LX/L=LISBOA/O=P_P/OU=IF/CN=syndrome.onsite.pt/emailAddress=pedro@pessoa
seprocessos.com
Fri Aug 22 05:33:46 2008 us=788834 172.16.0.12:4901 VERIFY OK: depth=0,
/C=PT/ST=LX/O=P_P/OU=IF/CN=syndrome.onsite.pt/emailAddress=pedro@pessoaseprocess
os.com
Fri Aug 22 05:33:46 2008 us=804979 172.16.0.12:4901 PLUGIN_CALL: POST
/usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Aug 22 05:33:46 2008 us=805218 172.16.0.12:4901 TLS: Username/Password
authentication succeeded for username 'pedro'
Fri Aug 22 05:33:46 2008 us=805773 172.16.0.12:4901 Data Channel Encrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 22 05:33:46 2008 us=805850 172.16.0.12:4901 Data Channel Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 22 05:33:46 2008 us=806047 172.16.0.12:4901 Data Channel Decrypt:
Cipher 'BF-CBC' initialized with 128 bit key
Fri Aug 22 05:33:46 2008 us=806102 172.16.0.12:4901 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Aug 22 05:33:46 2008 us=810544 172.16.0.12:4901 Control Channel: TLSv1,
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Aug 22 05:33:46 2008 us=810621 172.16.0.12:4901 [syndrome.onsite.pt]
Peer Connection Initiated with 172.16.0.12:4901
No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Fri Aug 22 05:33:46 2008 us=813079 syndrome.onsite.pt/172.16.0.12:4901
PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT
status=1
Fri Aug 22 05:33:46 2008 us=813213 syndrome.onsite.pt/172.16.0.12:4901
PLUGIN_CALL: plugin function PLUGIN_CLIENT_CONNECT failed with status 1:
/usr/local/lib/openvpn-auth-ldap.so
Fri Aug 22 05:33:46 2008 us=813377 syndrome.onsite.pt/172.16.0.12:4901
WARNING: client-connect plugin call failed
Fri Aug 22 05:33:47 2008 us=694000 syndrome.onsite.pt/172.16.0.12:4901
PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug 22 05:33:47 2008 us=694127 syndrome.onsite.pt/172.16.0.12:4901 SENT
CONTROL [syndrome.onsite.pt]: 'AUTH_FAILED' (status=1)
Fri Aug 22 05:33:47 2008 us=694255 syndrome.onsite.pt/172.16.0.12:4901
Delayed exit in 5 seconds
Original issue reported on code.google.com by [email protected]
on 22 Aug 2008 at 1:48
What is the expected output? What do you see instead?
The expected output is to work. but it does not.
What version of the product are you using? On what operating system?
auth-ldap-2.0.3. operation System = Debian 5.0.
Please provide any additional information below :
Here is how the group looks like in ldap :
dn: ou=Group,dc=users,dc=test,dc=loc
ou: Group
objectClass: top
objectClass: organizationalUnit
dn: cn=admins,ou=Group,dc=users,dc=test,dc=loc
objectClass: posixGroup
objectClass: top
cn: admins
gidNumber: 1000
memberUid: username
dn: cn=vpn,ou=Group,dc=users,dc=test,dc=loc
objectClass: posixGroup
objectClass: top
cn: vpn
gidNumber: 5000
# Here is the output of the ldap search :
users:/# ldapsearch -D "cn=admin,dc=users,dc=test,dc=loc" -W -x -b
"ou=Group,dc=users,dc=test,dc=loc" "(|(cn=admins)(cn=vpn))" "memberUid"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Group,dc=users,dc=test,dc=loc> with scope subtree
# filter: (|(cn=admins)(cn=vpn))
# requesting: memberUid
#
dn: cn=admins,ou=Group,dc=users,dc=test,dc=loc
memberUid: username
dn: cn=vpn,ou=Group,dc=users,dc=test,dc=loc
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
# Here is the result of testplugin :
vpn:/usr/local/src/auth-ldap-2.0.3/src#
/usr/local/src/auth-ldap-2.0.3/src/testplugin /etc/openvpn/ldap.conf
Username: username
Password:
Authorization Failed!
No matching LDAP group found for user DN
"uid=username,ou=People,dc=users,dc=test,dc=loc", and group membership is
required.
client-connect failed!
No matching LDAP group found for user DN
"uid=username,ou=People,dc=users,dc=test,dc=loc", and group membership is
required.
client-disconnect failed!
#####
However, when I set RequireGroup to false in the configuration file, it
DOES WORK. that indicate the ldap and openvpn works just fine. However,
there is a problem with my configuration or a problem with the code itself.
I notice that the search result return 2 lines and that might be the
problem .. I do not know.
#####
Original issue reported on code.google.com by [email protected]
on 10 Mar 2009 at 3:44
Hello,
I'm trying to set up OpenVPN server which authenticates via certificate OR LDAP
(not the both in the same time). I'm trying to archive this via using
auth-user-pass-optional option in openvpn config.
As documentation says "When this option is used, and a connecting client does
not submit a username/password, the user-defined authentication module/script
will see the username and password as being set to empty strings (""). The
authentication module/script MUST have logic to detect this condition and
respond accordingly."
But as I can see in logs LDAP plugin tries to perform bind auth with empty
username. And obviously it fails.
Could the plugin be adapted to cope with auth-user-pass-optional case?
Original issue reported on code.google.com by [email protected]
on 31 May 2013 at 3:53
I'm currently packaging openvpn-auth-ldap for Gentoo.
The install target fails due to missing intermediate directories since binaries
are installed into a temporary directory before installing it into the live
system.
Using -D in the install command fixes the problem (see attached patch).
Original issue reported on code.google.com by [email protected]
on 8 Nov 2013 at 5:49
Attachments:
What steps will reproduce the problem?
1. create config file with no new line after last line
2. run openvpn or testplugin
3. watch it bus error
What is the expected output? What do you see instead?
An error message indicating a configuration problem. Instead only a bus error.
What version of the product are you using? On what operating system?
2.0.3 on OS X 10.5.5
Please provide any additional information below.
GDB output:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000004
-[LFAuthLDAPConfig startSection:sectionName:] (self=0x100710, _cmd=0xc42c,
sectionType=0x101600, name=0x0) at LFAuthLDAPConfig.m:531
531 switch (opcodeEntry->opcode) {
( Line numbers are slightly off because I added some debug code to my tree )
Reason for crash:
Without a new line, the parser is picking up /Authorization as a new config
section. Calls to
parse_opcode will then fail and return a null pointer, which is accessed in the
switch statement
further down.
Possible Resolution:
Check or opcodeEntry == NULL or throw an exception on NULL from method
parse_opcode (TRConfigToken *token, OpcodeTable **tables) in LFAuthLDAPConfig.m
Original issue reported on code.google.com by [email protected]
on 30 Dec 2008 at 7:55
What steps will reproduce the problem?
1. Configuration: Use TLS, don't allow anonymous binds
This will cause the plugin to first perform the bind, then issue STARTTLS,
which will move the LDAP authorization status back to "anonymous" (see
http://tools.ietf.org/html/rfc4513#section-4). If you move the code in
auth-ldap.m, which performs the binding (calling bindWithDN) to the end of
connect_ldap() (just before "return ldap"), everything should work fine.
What version of the product are you using? On what operating system?
I'm using version 2.0.3 on a debian lenny.
Original issue reported on code.google.com by [email protected]
on 9 Jan 2010 at 7:32
What steps will reproduce the problem?
1. Freebsd 9.x or 10.x install
2. Install openvpn-auth-ldap package (version 2.0.3)
3. configure to use it in ldap.conf:
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/ldap.conf"
What is the expected output? What do you see instead?
Not staring openvpn, because in log (with verb 11):
Sun Jun 22 11:52:07 2014 us=259528 Current Parameter Settings:
Sun Jun 22 11:52:07 2014 us=260003 config =
'/usr/local/etc/openvpn/openvpn.conf'
Sun Jun 22 11:52:07 2014 us=260023 mode = 1
Sun Jun 22 11:52:07 2014 us=260041 show_ciphers = DISABLED
Sun Jun 22 11:52:07 2014 us=260063 show_digests = DISABLED
Sun Jun 22 11:52:07 2014 us=260080 show_engines = DISABLED
Sun Jun 22 11:52:07 2014 us=260097 genkey = DISABLED
Sun Jun 22 11:52:07 2014 us=260114 key_pass_file = '[UNDEF]'
Sun Jun 22 11:52:07 2014 us=260130 show_tls_ciphers = DISABLED
Sun Jun 22 11:52:07 2014 us=260147 Connection profiles [default]:
Sun Jun 22 11:52:07 2014 us=260165 proto = udp
Sun Jun 22 11:52:07 2014 us=260182 local = '****hostnam***'
Sun Jun 22 11:52:07 2014 us=260198 local_port = 1194
Sun Jun 22 11:52:07 2014 us=260215 remote = '[UNDEF]'
Sun Jun 22 11:52:07 2014 us=260233 remote_port = 1194
Sun Jun 22 11:52:07 2014 us=260250 remote_float = DISABLED
Sun Jun 22 11:52:07 2014 us=260267 bind_defined = DISABLED
Sun Jun 22 11:52:07 2014 us=260284 bind_local = ENABLED
Sun Jun 22 11:52:07 2014 us=260300 connect_retry_seconds = 5
Sun Jun 22 11:52:07 2014 us=260317 connect_timeout = 10
Sun Jun 22 11:52:07 2014 us=260334 NOTE: --mute triggered...
Sun Jun 22 11:52:07 2014 us=260367 213 variation(s) on previous 20 message(s)
suppressed by --mute
Sun Jun 22 11:52:07 2014 us=260385 OpenVPN 2.3.4 amd64-portbld-freebsd10.0 [SSL
(OpenSSL)] [LZO] [MH] [IPv6] built on May 31 2014
Sun Jun 22 11:52:07 2014 us=260409 library versions: OpenSSL 1.0.1e-freebsd 11
Feb 2013, LZO 2.06
Sun Jun 22 11:52:07 2014 us=260745 PLUGIN_INIT: POST
/usr/local/lib/openvpn-auth-ldap.so '[/usr/local/lib/openvpn-auth-ldap.so]
[/usr/local/etc/openvpn/ldap.conf]'
intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_ROUTE_UP|PLUGIN_IPCHANGE|PLUGIN_TLS_VER
IFY|PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT|
PLUGIN_LEARN_ADDRESS|PLUGIN_CLIENT_CONNECT|PLUGIN_TLS_FINAL|PLUGIN_ENABLE_PF|PLU
GIN_ROUTE_PREDOWN
Sun Jun 22 11:52:07 2014 us=260766 PLUGIN_INIT: plugin initialization function
failed: /usr/local/lib/openvpn-auth-ldap.so
Sun Jun 22 11:52:07 2014 us=260799 Exiting due to fatal error
What version of the product are you using? On what operating system?
Freebsd 9 or 10, openvpn-auth-ldap version
Please provide any additional information below.
Earlier the same config on Freebsd 8 it worked, others see the same, like:
https://forums.freebsd.org/viewtopic.php?f=43&t=46922
http://lists.freebsd.org/pipermail/freebsd-bugs/2014-June/056360.html
Tried to create from source with gcc47 but that was worst:
Sun Jun 22 19:16:10 2014 us=463109 PLUGIN_INIT: could not load plugin shared
object /usr/local/lib/openvpn-auth-ldap.so:
/usr/local/lib/openvpn-auth-ldap.so: Undefined symbol "objc_msgSendSuper"
Sun Jun 22 19:16:10 2014 us=463596 Exiting due to fatal error
Original issue reported on code.google.com by [email protected]
on 22 Jun 2014 at 5:27
What steps will reproduce the problem?
1. Compile with gcc 4.7
2. Configure openvpn to use ldap auth
3. segfault on start
openvpn[1220]: segfault at 0 ip b704125f sp bfa9a150 error 4 in
libobjc.so.4.0.0[b7034000+16000]
What version of the product are you using? On what operating system?
version 2.0.3
Fedora 17 32-bit but seen on others, see:
https://bugzilla.redhat.com/show_bug.cgi?id=870988
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641811
http://serverfault.com/questions/327294/openvpn-segmentation-fault
Original issue reported on code.google.com by [email protected]
on 6 Feb 2013 at 4:22
Hi,
I have a problem with account with dot inside. From example when I try to check
plugin configuration and put username: piotr everything works ok:
./testplugin /usr/local/etc/openvpn/auth/auth-ldap.conf
Username: piotr
Password:
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
, but when I put username with dot inside: piotr.xyz (user exist in LDAP and is
member of vpnUsers) the plugin show:
./testplugin /usr/local/etc/openvpn/auth/auth-ldap.conf
Username: piotr.xyz
Password:
LDAP user "piotr.xyz" was not found.
Authorization Failed!
LDAP user "piotr.xyz" was not found.
client-connect failed!
LDAP user "piotr.xyz" was not found.
client-disconnect failed!
My auth section config:
<Authorization>
BaseDN "cn=users,dc=bbb,dc=aaa"
SearchFilter "sAMAccountName=%u"
RequireGroup true
<Group>
BaseDN "cn=users,dc=bbb,dc=aaa"
SearchFilter "cn=vpnUsers"
MemberAttribute Member
</Group>
</Authorization>
Anybody can help me? :)
Original issue reported on code.google.com by [email protected]
on 3 Feb 2011 at 9:06
What version of the product are you using? On what operating system?
OpenVPN on Ubuntu Hardy 32 bits with auth-ldap-2.0.3 installed from source.
Attached file is the tree of what I see from my LDAP browser on the AD
server for domain dc=XXX,dc=ZZZ. Basically I got 2 different branches with
their own set of users (ou=YYY,dc=XXX,dc=ZZZ and ou=AAA,dc=XXX,dc=ZZZ). I
want to give access to users of both trees.
When I point my configuration pointing to a specific branch
ou=YYY,dc=XXX,dc=ZZZ I can authenticate users within this branch:
# auth-ldap configuration
<LDAP>
URL ldap://AD_IP
BindDN "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ"
Password pass
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "OU=YYY,DC=XXX,DC=YYY"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>
Here is the tethereal output of the LDAP traffic when a user log in:
1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple
2 LDAP bindResponse(1) success
3 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ"
5 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple
6 LDAP bindResponse(1) success
7 LDAP bindRequest(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ" 8
simple
9 LDAP bindResponse(2) success
10 LDAP unbindRequest(3)
11 LDAP unbindRequest(3)
12 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple
13 LDAP bindResponse(1) success
14 LDAP searchRequest(2) "OU=YYY,DC=XXX,DC=ZZZ" wholeSubtree
15 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ"
16 LDAP unbindRequest(3)
I wonder why it search a 2nd time after validated my OpenVPN client user...
but that's not my problem. This work.
My problem start when I change the basedn to point to the root of my AD
structure to be able to let users of 2 branches authenticate. In my
configuration I just change
BaseDN "DC=XXX,DC=YYY"
and here is the tethereal output:
1 LDAP bindRequest(1) "CN=ldapbrowser,CN=Users,DC=XXX,DC=ZZZ" simple
2 LDAP bindResponse(1) success
3 LDAP searchRequest(2) "DC=XXX,DC=ZZZ" wholeSubtree
4 LDAP searchResEntry(2) "CN=Bruno Clermont,OU=Users,OU=YYY,DC=XXX,DC=ZZZ"
5 LDAP bindRequest(4) "<ROOT>" simple
6 LDAP bindResponse(4) success
7 LDAP bindRequest(6) "<ROOT>" simple
8 LDAP bindResponse(6) success
9 LDAP bindRequest(8) "<ROOT>" simple
10 LDAP bindResponse(8) success
11 LDAP searchRequest(7) "CN=Configuration,DC=XXX,DC=ZZZ" wholeSubtree
12 LDAP searchRequest(5) "DC=DomainDnsZones,DC=XXX,DC=ZZZ" wholeSubtree
13 LDAP searchRequest(3) "DC=ForestDnsZones,DC=XXX,DC=ZZZ" wholeSubtree
14 LDAP searchResDone(3) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece)
15 LDAP unbindRequest(9)
16 LDAP searchResDone(7) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece)
17 LDAP searchResDone(5) operationsError (00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece)
18 LDAP unbindRequest(10)
19 LDAP unbindRequest(11)
20 LDAP unbindRequest(12)
At line 4, it definitely find my user. But on line 5 it also try to bind
<ROOT>, which is something I don't know...
And after that it try to search in sub branches Windows Active Directory
that require higher privilege. Once it knocked out somewhere it refused to
try to bind my user and validated my VPN user.
Should auth-ldap took the found object, ignore failed search and try to
authenticate to that user?
thank you
Original issue reported on code.google.com by [email protected]
on 25 Jun 2008 at 4:35
Attachments:
What steps will reproduce the problem?
1. Installing openvpn-auth-ldap from most distros installs version 2.0.3, which
was built in 2008.
What is the expected output? What do you see instead?
Much development has happened since 2008, (including working ldaps and STARTTLS
support) and it would be great to not have to compile to use the plugin.
Thanks!
Original issue reported on code.google.com by [email protected]
on 18 Oct 2013 at 7:27
What version of the product are you using? On what operating system?
openvpn-auth-ldap-2.0.3
openvpn-2.0.6
openldap-client-2.4.11
FreeBSD 7.0-RELEASE-p5
Please provide any additional information below.
In LDAP we are using the posixGroup schema, which lists group members by
username in the memberUid attribute on the group. It appears that
openvpn-auth-ldap is searching for members based on cn. It would be nice if
there were a way to configure what to look for in the attribute to confirm
group membership.
Original issue reported on code.google.com by [email protected]
on 30 Dec 2008 at 9:51
client+server version:
OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6]
[eurephia] built on Jul 12 2010
openvpn-auth-ldap version:
2.0.3-1 amd64 (Ubuntu Repository)
vpn server+client: Ubuntu 10.10 amd64 2.6.35
ldap server: win sbs2003 (active directory)
I enter my username "s9hi-2c-leutlor" on the client, but the server shows up
"s9hi-2c-batsank" in the logfiles. "s9hi-2c-batsank" is an existing user, but
definately the wrong one.
may be interesting:
It's a school's database, and "s9hi-2c-leutlor" is in the same class as
"s9hi-2c-batsank", they both are in the group "sg9hi-2c" and "s9hi-2c-batsank"
is the first entry of this group (alphabetical order).
What about that error? How can I fix it?
Original issue reported on code.google.com by [email protected]
on 12 Dec 2010 at 10:08
Attachments:
What steps will reproduce the problem?
1. Start OpenVPN Server
2. From openvpn client, execute with ./openvpn --config openvpn.conf
--auth-user-pass
3. Openvpn server die
What is the expected output? What do you see instead?
Successfully connected between openvpn client and server
What version of the product are you using? On what operating system?
openvpn 2.0.9, auth-ldap 2.0.3 , tried on Kubuntu 8.04 and Centos 5.2 ,
both also getting same error msg
Please provide any additional information below.
Tue Feb 10 15:32:20 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [EPOLL] built on
Dec 12 2008
Tue Feb 10 15:32:21 2009 TUN/TAP device tun0 opened
Tue Feb 10 15:32:21 2009 /sbin/ifconfig tun0 172.16.24.1 pointopoint
172.16.24.2 mtu 1500
Tue Feb 10 15:32:21 2009 GID set to nogroup
Tue Feb 10 15:32:21 2009 UID set to nobody
Tue Feb 10 15:32:21 2009 UDPv4 link local (bound): [undef]:1194
Tue Feb 10 15:32:21 2009 UDPv4 link remote: [undef]
Tue Feb 10 15:32:21 2009 Initialization Sequence Completed
Tue Feb 10 15:32:29 2009 60.50.53.28:59719 Re-using SSL/TLS context
openvpn: ../../../libraries/liblber/encode.c:288: ber_put_ostring:
Assertion `str != ((void *)0)' failed.
Aborted
Original issue reported on code.google.com by [email protected]
on 10 Feb 2009 at 7:32
What steps will reproduce the problem?
1. compile and install the plugin
2. configure it and start openvpn
3. connect
4. fail
LDAP bind failed immediately: Can't contact LDAP server ((unknown error code))
Unable to bind as cn=admin,dc=blubb,dc=bla
LDAP connect failed.
192.168.88.11:36659 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/local/lib/openvpn-auth-ldap.so
192.168.88.11:36659 TLS Auth Error: Auth Username/Password verification
failed for peer
What is the expected output? What do you see instead?
expected would be something like this:
"openvpn: running"
What version of the product are you using? On what operating system?
linux/gentoo
openvpn-2.1.0-r1
auth-ldap-2.0.3.tar.gz
Please provide any additional information below.
./configure --with-openvpn=/usr/src/openvpn-2.1.0
without tls it is working
Original issue reported on code.google.com by [email protected]
on 4 Jun 2010 at 6:35
What steps will reproduce the problem?
Hi, are they any instructions on how to properly compile, make etc.. the file?
Thx.
Original issue reported on code.google.com by [email protected]
on 24 Oct 2014 at 6:12
I use centos 5
./testplugin /etc/openvpn/servers/v2vpn03/auth-ldap.conf
Username:
Password:
testplugin: ../../../libraries/liblber/encode.c:288: ber_put_ostring:
Assertion `str != ((void *)0)' failed.
Aborted
Original issue reported on code.google.com by [email protected]
on 9 Jul 2008 at 1:19
Hi!
i've add cert and key to my clients, the LDAP auth works very well, but when
revoke a client, the LDAP auth works again.
It's posible? Mix this scenario, client cert/key and LDAP auth?
Tkanks
Original issue reported on code.google.com by [email protected]
on 11 Jun 2011 at 1:18
What steps will reproduce the problem?
1. use auth-ldap with AD
2. take down the AD server
3. try to authenticate
What is the expected output? What do you see instead?
should retry, or fail to authenticate, instead openvpn crashes
What version of the product are you using? On what operating system?
Slackware-10, OpenVPN 2.0.9, authldap 2.0.3
Please provide any additional information below.
from the log :
Thu Nov 8 19:09:16 2007 us=812760 TLS Error: incoming packet
authentication failed from xx.xx.xx.xx:28277
openvpn: sasl.c:262: ldap_parse_sasl_bind_result: Assertion `res != ((void
*)0)' failed.
Original issue reported on code.google.com by [email protected]
on 4 Feb 2009 at 7:21
What steps will reproduce the problem?
1. stop the ldap server for a while
2. watch the reconnects of existing connections fail
3. wait until you see a line "TLS Error: local/remote TLS keys are out of sync"
4. the clients exit because of "wrong username/password" and thus are unable to
retry
What is the expected output? What do you see instead?
i would expect the openvpn-ldap module to give a different status (if possible)
to the openvpn server so that the client doesn't think that it has a wrong
username and doesn't need to retry... (even with retry infinite)
What version of the product are you using? On what operating system?
deb6 amd64 openvpn-2.2.1-8+deb7u2 openvpn-auth-ldap-2.0.3-5.1
is there a workaround i can use to not have this issue?
Original issue reported on code.google.com by [email protected]
on 30 Jun 2014 at 1:02
What steps will reproduce the problem?
1. Install openvpn 2.0.9
2. Install auth-ldap 2.0.3
3. Start openvpn with auth-ldap plugin. Pointing to auth-ldap.conf
What is the expected output? What do you see instead?
I expect to see the daemon running.
But I see...
Segmentation fault (core dumped)
What version of the product are you using? On what operating system?
2.0.3 on Mandrake 9.1 (Old i know, but everything compiled OK.)
Please provide any additional information below.
When i un-comment the line below openvpn loads.
# plugin /opt/auth-ldap/lib/openvpn-auth-ldap.so
/opt/auth-ldap/etc/auth-ldap.conf
I also tried it with a trailing cn=%u
My auth-ldap.conf
<LDAP
URL ldap://10.0.0.1
BindDN CN=tom,CN=Users,DC=pulla,DC=local
Password mypassword
Timeout 15
TLSEnable no
</LDAP
<Authorization
BaseDN "DC=pulla,DC=local"
SearchFilter "(cn=%u)"
RequireGroup false
</Authorization
I turned openvpn verb to 11 but i cant see anything strange it just dies.
Original issue reported on code.google.com by [email protected]
on 4 Mar 2009 at 11:46
What steps will reproduce the problem?
1. Trying to enter multiple LDAP servers in the configuration for redundancy
finishes with error message
What is the expected output? What do you see instead?
Must be possible to enter multiple LDAP servers, either with multiple URL
directive, or with single directive and addresses separated by spaces
EXAMPLE:
URL ldap://ldap1.xxx.com
URL ldap://ldap2.xxx.com
OR
URL ldap://ldap1.xxx.com ldap://ldap2.xxx.com
What version of the product are you using? On what operating system?
2.0.3 on Ubuntu 10.04 from original repository
Original issue reported on code.google.com by [email protected]
on 22 Nov 2011 at 9:37
I use Zimbra [1] as a groupware solution and it has an ldap server
(currently openldap 2.3.42) for authentication services. I'm trying to
compile openvpn-auth-ldap on a x64 ubuntu 8.04 server so vpn users can use
the same auth information, however configure fails with the following error:
checking how to run the Objective C preprocessor... /lib/cpp
configure: error: Objective C preprocessor "/lib/cpp" fails sanity check
All references to this error on google lead to installing build-essential
as the solution, however I have it installed and still have the error.
Also, configuring/compiling other software from source works.
What steps will reproduce the problem?
1. ./configure --with-openldap=/opt/zimbra/openldap
--with-openvpn=/usr/include/openvpn
What is the expected output? What do you see instead?
Configure should finish cleanly. However it spits out an error about the
Objective C preprocessor.
What version of the product are you using? On what operating system?
2.0.3 on x64 ubuntu 8.04.
Please provide any additional information below.
Attached are configure output and config.log.
[1] http://www.zimbra.com
Original issue reported on code.google.com by [email protected]
on 1 Oct 2008 at 7:18
Attachments:
hi,
I am running suse linux enterprise 11 and have installed openvpn and openldap
command:
# ./configure --with-openvpn=/tmp/openvpn-2.2.2/
I see the foollowing on myscreen:
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for gcc... gcc
checking whether we are using the GNU Objective C compiler... yes
checking whether gcc accepts -x objective-c... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking whether make sets $(MAKE)... yes
checking for re2c... /usr/bin/re2c
checking for doxygen... no
checking for dot... no
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for the pthreads library -lpthreads... no
checking whether pthreads work without any flags... no
checking whether pthreads work with -Kthread... no
checking whether pthreads work with -kthread... no
checking for the pthreads library -llthread... no
checking whether pthreads work with -pthread... yes
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking if more special flags are required for pthreads... no
checking for BSD pf(4) support... no
configure: WARNING: pf(4) table support will not be included.
checking for strlcpy... no
checking for openldap... yes
checking for check unit test library... no
configure: WARNING: Check library not found. Unit tests will not be built or
run.
checking for openvpn-plugin.h... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking how to run the Objective C preprocessor... gcc -E
checking objc/objc.h usability... yes
checking objc/objc.h presence... yes
checking for objc/objc.h... yes
checking if linking libobjc requires pthreads... no
checking for Apple Objective-C runtime... no
checking for GNU Objective C runtime... yes
configure: Using GNU Objective-C runtime
configure: creating ./config.status
config.status: creating Makefile
config.status: creating tools/Makefile
config.status: creating src/Makefile
config.status: creating tests/Makefile
config.status: creating Mk/autoconf.mk
config.status: WARNING: Mk/autoconf.mk.in seems to ignore the --datarootdir
setting
config.status: creating Mk/compile.mk
config.status: creating Mk/subdir.mk
config.status: creating doxyfile
config.status: creating config.h
config.status: config.h is unchanged
WHen looking in the config.log I see this error:
conftest.c:8:28: error: ac_nonexistent.h: No such file or directory
seems the command is not completing, because I miss this file:
openvpn-auth-ldap.so
how can I troubleshoot this?
Original issue reported on code.google.com by [email protected]
on 22 Oct 2014 at 9:35
What steps will reproduce the problem?
1. compile the plugin with ./configure --with-openvpn=/home/tmp/openvpn-2.2.2
2. Launch OpenVPN (>service openvpn start)
3.
What is the expected output? What do you see instead?
> service openvpn start indicate error
Error at openvpn log file
Wed Apr 29 14:14:58 2015 event_wait : Interrupted system call (code=4)
Wed Apr 29 14:14:58 2015 /sbin/route del -net 172.16.26.0 netmask 255.255.255.0
Wed Apr 29 14:14:58 2015 Closing TUN/TAP interface
Wed Apr 29 14:14:58 2015 /sbin/ifconfig tun0 0.0.0.0
Wed Apr 29 14:14:58 2015 PLUGIN_CLOSE: /usr/local/lib/openvpn-auth-ldap.so
Wed Apr 29 14:14:58 2015 SIGTERM[hard,] received, process exiting
Wed Apr 29 14:15:00 2015 OpenVPN 2.3.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)]
[LZO] [EPOLL] [MH] [IPv6] built on Apr 28 2015
Wed Apr 29 14:15:00 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO
2.03
Wed Apr 29 14:15:00 2015 PLUGIN_INIT: POST /usr/local/lib/openvpn-auth-ldap.so
'[/usr/local/lib/openvpn-auth-ldap.so] [/etc/openvpn/ldap.conf]'
intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIE
What version of the product are you using? On what operating system?
auth-ldap-2.0.3
CentOS 6.6
Linux VPN 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64
x86_64 x86_64 GNU/Linux
Please provide any additional information below.
.\configure at auth-ldap-2.0.3 eat any path for --with-openldap and
--with-openvpn. Make pass without errors, and i can't be sure thet paths are
correct.
Original issue reported on code.google.com by [email protected]
on 29 Apr 2015 at 11:39
Hi,
im currently running debian wheezy with openvpn-auth-ldap 2.0.3-5.1.
when a users chooses a password with äöü inside, authentication to vpn
always fails.
its working with most other systems accessing Active Directory, so i guess ist
some encoding problem.
greetings
Christian
Original issue reported on code.google.com by [email protected]
on 10 Mar 2014 at 11:18
What steps will reproduce the problem?
1.
2.
3.
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 10 Feb 2010 at 7:22
What steps will reproduce the problem?
1. configure
2. make -j4
What is the expected output? What do you see instead?
I'd expect that the build waits until TRConfigParser.h is generated before
using it. Instead, I see it is built in parallel with using it.
The Makefile.in needs to have some dependencies added so that operations are
properly serialized and the lemon/makeheaders are run before the resulting
.h/.m files are used.
What version of the product are you using? On what operating system?
svn version 1379 on FreeBSD 10.1
Original issue reported on code.google.com by [email protected]
on 19 Jan 2015 at 4:49
Is it possible to configure openvpn-auth-ldap to not use the LDAP password?
Currently, I have PAM authentication configured, which allows me to tap
into our RSA two factor authentication system. I'd like to use the LDAP
plugin only as user authorization, and the PAM/RSA 2-factor as the user
authentication.
Original issue reported on code.google.com by [email protected]
on 26 Feb 2009 at 4:01
What steps will reproduce the problem?
the plugin's configuration is:
<LDAP>
URL ldap://xxxxx
BindDN uid=xxxxx,dc=xxx,dc=xxx
Password xxxxxxx
Timeout 15
TLSEnable no
FollowReferrals no
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertDir /etc/ssl/certs
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
BaseDN "ou=xxx,dc=xxx,dc=xxx"
SearchFilter "(&(uid=%u)(accountStatus=active))"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
</Group>
</Authorization>
I am sure that all values are correct, because using an equivalent ldapsearch
command, ldap server responds with the correct entry.
What is the expected output? What do you see instead?
the expected should be a login success message. But the following log comes
("LDAP search failed: No such object" and then "No remote address supplied to
OpenVPN LDAP Plugin (OPENVPN_PLUGIN_CLIENT_CONNECT)."):
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 TLS: Initial packet from
[AF_INET]xx.xx.xx.xx:1194, sid=466b3052 a5fc388e
LDAP search failed: No such object
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=0
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 TLS: Username/Password authentication
succeeded for username 'username'
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Encrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Encrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Decrypt: Cipher 'BF-CBC'
initialized with 128 bit key
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Data Channel Decrypt: Using 160 bit
message hash 'SHA1' for HMAC authentication
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 [] Peer Connection Initiated with
[AF_INET]xx.xx.xx.xx:1194
No remote address supplied to OpenVPN LDAP Plugin
(OPENVPN_PLUGIN_CLIENT_CONNECT).
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=1
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function
PLUGIN_CLIENT_CONNECT failed with status 1:
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:12 2014 xx.xx.xx.xx:1194 WARNING: client-connect plugin call
failed
What version of the product are you using? On what operating system?
Using openvpn-auth-ldap 2.0.3-6 with openvpn.i686 2.3.2-2, installed on
CentOS-6 from the epel repository.
Please provide any additional information below.
when providing wrong user password or no-existing user (in this example -
"asdf"), plugin outputs correctly ... which shows that there is no bind or
wrong attribute problem and ldap responds correctly !!!
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 TLS: Initial packet from
[AF_INET]xx.xx.xx.xx:1194, sid=17665875 67640a48
LDAP bind failed: Invalid credentials
Incorrect password supplied for LDAP DN "uid=username,ou=xxx,dc=xxx,dc=xxx".
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 TLS Auth Error: Auth
Username/Password verification failed for peer
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 Control Channel: TLSv1, cipher
TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jan 23 12:57:26 2014 xx.xx.xx.xx:1194 Peer Connection Initiated with
[AF_INET]xx.xx.xx.xx:1194
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 PUSH: Received control message:
'PUSH_REQUEST'
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 Delayed exit in 5 seconds
Thu Jan 23 12:57:29 2014 xx.xx.xx.xx:1194 SENT CONTROL [UNDEF]: 'AUTH_FAILED'
(status=1)
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 SIGTERM[soft,delayed-exit] received,
client-instance exiting
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 TLS: Initial packet from
[AF_INET]xx.xx.xx.xx:1194, sid=06097dc3 01f59e32
LDAP user "asdf" was not found.
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: POST
/usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
Thu Jan 23 12:57:34 2014 xx.xx.xx.xx:1194 TLS Auth Error: Auth
Username/Password verification failed for peer
please correct any mistakes in the config file or suggest any solution
thank you
Original issue reported on code.google.com by [email protected]
on 23 Jan 2014 at 5:50
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.