6

I'm trying to have OpenVPN authenticate users via PAM over LDAP to an Active Directory server.

Here are the relevant parts of my configuration files:

/etc/openvpn/server.conf: 

# ...
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so ldap-login

/etc/nslcd.conf:

uri ldap://prod-adc1.mydomain.local
base DC=MyDomain,DC=Local
uid nslcd
gid ldap

/etc/pam.d/ldap-login:

auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
auth      required    pam_deny.so
password  sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
password  required    pam_deny.so

When I try authenticating, I see the following in the logs:

/var/log/secure:

Dec  4 22:22:42 localhost openvpn[25505]: pam_ldap(ldap-login:auth): failed to get password: Authentication failure

/var/log/messages:

Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS: Initial packet from [AF_INET]1.2.3.4:37503, sid=c2d806cc 5c7c7ace
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS Auth Error: Auth Username/Password verification failed for peer
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Peer Connection Initiated with [AF_INET]1.2.3.4:37503
Dec  4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 PUSH: Received control message: 'PUSH_REQUEST'
Dec  4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 Delayed exit in 5 seconds
Dec  4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Dec  4 22:38:36 localhost openvpn[25504]: 1.2.3.4:37503 SIGTERM[soft,delayed-exit] received, client-instance exiting

Have I configured PAM wrong? Is there something I'm missing in my login configuration?

EDIT: I'm able to login if I do the following:

ldapsearch -h prod-adc1.mydomain.local -b "DC=MyDomain,DC=Local" -x -D "naftuli.kay@mydomain.com" -W

How do I map this over to the PAM LDAP module to get OpenVPN logins working as expected?

Naftuli Kay
  • 1,648
  • 6
  • 22
  • 43

2 Answers2

1

It looks like you need to configure /etc/nslcd.conf with your binddn and bindpw.

See http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5

Hope this helps!

-Byron

byronicle
  • 111
  • 1
  • 4
  • I don't think it's working right, I've updated the above question with more details. – Naftuli Kay Dec 06 '15 at 04:10
  • Hi Naftuli, What happened when you put the bind info in the nslcd.conf? The reason I ask is because of the line "...failed to get password" part. It appears PAM is not logging into the LDAP server to retrieve the passwords. If you log into to your ldap server as anonymous I bet you would not see the password hashes of the users. So if PAM is does not have credentials to login to the LDAP server it's not going to be able to see the passwords, and therefore will not be able to be able to validate the login. – byronicle Dec 07 '15 at 19:54
  • The ldapsearch command is not connected to PAM. Here you are just testing that you can login with a username and password to the server directly. PAM needs another username/password to look up that account and process your login. – byronicle Dec 07 '15 at 19:57
  • I'm still seeing the "failed to get password" bit in the logs. I tried binddn with the same value as "bind" above in the config and that didn't work. The `ldapsearch` command's `-D` parameter is supposed to be the user's email address with which to log in. How do I set it to that? – Naftuli Kay Dec 07 '15 at 21:26
  • The bind dn needs to be the dn of the account to login to the LDAP server with. This is usually a root or admin account. For example: `binddn cn=admin,dc=domain,dc=org` and `bindpw password`. Can you give that a try? – byronicle Dec 07 '15 at 21:41
  • Yes, I gave that a try, still getting the weird error. How can I increase PAM logging for the LDAP module? – Naftuli Kay Dec 07 '15 at 21:52
0

Example of working setup (authorize users only against LDAP server, in the example I was using OpenLDAP, but AD is supported also in this module - openvpn-auth-ldap.so):

openvpn-sever.conf:

# Authorization against LDAP
plugin /usr/lib64/openvpn-auth-ldap.so /some/path/auth-ldap.conf

auth-ldap.conf:

<LDAP>
  # LDAP server URL
  URL ldap://server.intranet.eko-inwest.com.pl:389

  # Bind DN (If your LDAP server doesn’t support anonymous binds)
  # BindDN uid=administrator,ou=users,dc=x,dc=y
  # BindDN uid=admin,ou=Users,dc=x,dc=y
  # BindDN admin@test.com

  # Network timeout (in seconds)
  Timeout 15

  # Enable Start TLS
  TLSEnable       no

  # TLS CA Certificate File
  # TLSCACertFile   /etc/ssl/ca.x.y.crt
</LDAP>

<Authorization>
  # Base DN
  BaseDN "ou=users,dc=x,dc=y"

  # User Search Filter
  #SearchFilter "(uid=%u)"
  #SearchFilter "(&(uid=%u)(objectclass=posixAccount))"
  # For Samba's schema
  SearchFilter "(&(uid=%u)(!(sambaAcctFlags=[DUL        ])))"

  # Require Group Membership
  RequireGroup true

  # Add non-group members to a PF table (disabled)
  # PFTable vpn-users
        <Group>
                # Match full user DN if true, uid only if false
                RFC2307bis      false
                BaseDN          "ou=groups,dc=x,dc=y"

                SearchFilter    "(cn=vpn-users)"
                MemberAttribute memberUid
        </Group>
</Authorization>
Michal Sokolowski
  • 1,461
  • 1
  • 11
  • 24