Search code examples
dockerldapvpnopenldapopenvpn

Authentication fails after enabling RequireGroup in openvpn-auth-ldap.so

  1. I use openvpn-auth-ldap.so as an authentication plugin for openvpn
  2. I only want to allow members under cn=corevpn,ou=tech,ou=group,dc=openldap,dc=example,dc=com to be able to log in openvpn
  3. My ldap-auth.conf configuration file has the following information
<LDAP>
    URL ldap://127.0.0.1:389
    BindDN cn=admin,dc=openldap,dc=example,dc=com
    Password "secret"
    Timeout 60
    FollowReferrals yes
    TLSEnable no
</LDAP>

<Authorization>
    BaseDN "ou=people,dc=openldap,dc=example,dc=com"
    SearchFilter "(uid=%u)"
    RequireGroup true

    <Group>
        BaseDN "ou=Group,dc=openldap,dc=example,dc=com"
        SearchFilter "(&(objectClass=posixGroup)(cn=corevpn)(memberUid=%u))"
        MemberAttribute memberUid
    </Group>
</Authorization>
  1. The member group with the userpassword field is at ou=people,dc=openldap,dc=example,dc=com.
  2. Here's some of the information
root@master:/container/service/slapd/assets/config/bootstrap/ldif/custom# ldapsearch -x -LLL -H ldapi:/// -D "cn=admin,dc=openldap,dc=example,dc=com" -W -b "ou=group,dc=openldap,dc=example,dc=com" "(memberUid=kevin)"
Enter LDAP Password: 
dn: cn=corevpn,ou=tech,ou=Group,dc=openldap,dc=example,dc=com
cn: corevpn
gidNumber: 504
objectClass: posixGroup
objectClass: top
memberUid: kevin

  1. The error encountered was:

  2. openldap logs

665732a0 conn=1120 fd=14 ACCEPT from IP=172.30.0.11:38546 (IP=0.0.0.0:389)
665732a0 conn=1120 op=0 BIND dn="cn=admin,dc=openldap,dc=example,dc=com" method=128
665732a0 conn=1120 op=0 BIND dn="cn=admin,dc=openldap,dc=example,dc=com" mech=SIMPLE ssf=0
665732a0 conn=1120 op=0 RESULT tag=97 err=0 text=
665732a0 conn=1120 op=1 SRCH base="ou=people,dc=openldap,dc=example,dc=com" scope=2 deref=0 filter="(uid=kevin)"
665732a0 conn=1120 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
665732a0 conn=1121 fd=15 ACCEPT from IP=172.30.0.11:38558 (IP=0.0.0.0:389)
665732a0 conn=1121 op=0 BIND dn="cn=admin,dc=openldap,dc=example,dc=com" method=128
665732a0 conn=1121 op=0 BIND dn="cn=admin,dc=openldap,dc=example,dc=com" mech=SIMPLE ssf=0
665732a0 conn=1121 op=0 RESULT tag=97 err=0 text=
665732a0 conn=1121 op=1 BIND anonymous mech=implicit ssf=0
665732a0 conn=1121 op=1 BIND dn="cn=kevin,ou=People,dc=openldap,dc=example,dc=com" method=128
665732a0 conn=1121 op=1 BIND dn="cn=kevin,ou=People,dc=openldap,dc=example,dc=com" mech=SIMPLE ssf=0
665732a0 conn=1121 op=1 RESULT tag=97 err=0 text=
665732a0 conn=1121 op=2 UNBIND
665732a0 conn=1120 op=2 SRCH base="ou=Group,dc=openldap,dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=corevpn)(memberUid=%u))"
665732a0 <= mdb_equality_candidates: (cn) not indexed
665732a0 conn=1121 fd=15 closed
665732a0 <= mdb_equality_candidates: (memberUid) not indexed
665732a0 conn=1120 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
665732a0 conn=1120 op=3 UNBIND
665732a0 conn=1120 fd=14 closed

==Why is it memberUid=%u and not memberUid=kevin???==

  1. openvpn server side:
2024-05-29 20:35:04 us=599688 122.241.13.157:59447 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2024-05-29 20:35:04 us=599712 122.241.13.157:59447 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-auth-ldap.so
2024-05-29 20:35:04 us=600090 122.241.13.157:59447 TLS Auth Error: Auth Username/Password verification failed for peer
  1. openvpn client side
Wrong creditials try again
  1. I need to implement that only members of a specified group can log in to openvpn authentication succeeds
  2. I'm wondering why openldap receives memberUid=%u instead of memberUid=kevin.
Solution

  • From my understanding of the openvpn configuration manual, the group SearchFilter attribute allows you to filter group in the BaseDN specified, but not based on a processed filter with %u.

    The groups filtered out from the BaseDN will be checked and compared to see if they contain the information of the user in their MemberAttribute attributes.

    If you want to use posixGroup you need to set RFC2307bis to false. (This rfc is for the usage of groupOfNames / groupOfUniqueNames which stores the user dn and not the memberuid as a reference inside the ldap group)

    Try this configruation :

    <LDAP>
   URL ldap://127.0.0.1:389
   BindDN cn=admin,dc=openldap,dc=example,dc=com
   Password "secret"
   Timeout 60
   FollowReferrals yes
   TLSEnable no
</LDAP>

<Authorization>
   BaseDN "ou=people,dc=openldap,dc=example,dc=com"
   SearchFilter "(uid=%u)"
   RequireGroup true

   <Group>
      BaseDN "ou=Group,dc=openldap,dc=example,dc=com"
      RFC2307bis false
      SearchFilter "(&(objectClass=posixGroup)(cn=corevpn))"
      MemberAttribute memberUid
   </Group>
</Authorization>