Hi.

Thank you for taking the time to respond.

I have been playing with the options literrally all day and still haven't got it to connect via auth-ldap

I think it may be the BINDDN part I am missing.. Also unsure if I need the BINDDN and password set..

Presently my config (/etc/openvpn/auth/ldap.conf) looks like :- (ignore the pass, its a test server not open to the internet..)

----------------
<LDAP>
        # LDAP server URL
        URL             ldap://ipa1.morgan.kvm

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        #BindDN                dc=morgan,dc=kvm

        # Bind Password
        Password       "test_123"

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        TLSEnable yes

        # Follow LDAP Referrals (anonymously)
        FollowReferrals yes

        # TLS CA Certificate File
        TLSCACertFile   /etc/ipa/ca.crt

        # TLS CA Certificate Directory
        TLSCACertDir    /etc/ssl/certs

        # Client Certificate and key
        # If TLS client authentication is required
        #TLSCertFile    /usr/local/etc/ssl/client-cert.pem
        #TLSKeyFile     /usr/local/etc/ssl/client-key.pem

        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite  ALL:!ADH:@STRENGTH
        #TLSCipherSuite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA2$
</LDAP>


<Authorization>
        # Base DN
        #BaseDN         "cn=users,cn=accounts,dc=morgan,dc=kvm"
        BaseDN          "dc=morgan,dc=kvm"

        # User Search Filter
        SearchFilter    "(uid=%u)"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "cn=users,cn=accounts,dc=morgan,dc=kvm"
                SearchFilter    "(cn=ipausers)"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

----------------

Using this method I can see in the openvpn client log

---------
Tue Sep 18 17:26:46 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Tue Sep 18 17:26:46 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Sep 18 17:26:46 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Sep 18 17:26:46 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.122.15:1194
Tue Sep 18 17:26:46 2018 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Sep 18 17:26:46 2018 UDP link local: (not bound)
Tue Sep 18 17:26:46 2018 UDP link remote: [AF_INET]192.168.122.15:1194
Tue Sep 18 17:26:46 2018 TLS: Initial packet from [AF_INET]192.168.122.15:1194, sid=3a69634f 7bb2d4c1
Tue Sep 18 17:26:46 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Sep 18 17:26:46 2018 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm
Tue Sep 18 17:26:46 2018 VERIFY OK: nsCertType=SERVER
Tue Sep 18 17:26:46 2018 VERIFY KU OK
Tue Sep 18 17:26:46 2018 Validating certificate extended key usage
Tue Sep 18 17:26:46 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Sep 18 17:26:46 2018 VERIFY EKU OK
Tue Sep 18 17:26:46 2018 VERIFY OK: depth=0, CN=openvpntest.morgan.kvm
Tue Sep 18 17:26:46 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Sep 18 17:26:46 2018 [openvpntest.morgan.kvm] Peer Connection Initiated with [AF_INET]192.168.122.15:1194
Tue Sep 18 17:26:47 2018 SENT CONTROL [openvpntest.morgan.kvm]: 'PUSH_REQUEST' (status=1)
Tue Sep 18 17:26:47 2018 AUTH: Received control message: AUTH_FAILED
Tue Sep 18 17:26:47 2018 SIGTERM[soft,auth-failure] received, process exiting
---------

And in the server log : I note " TLS Auth Error: Auth Username/Password verification failed for peer", which looks like a TLS issue ??

--------------------------
Tue Sep 18 17:46:17 2018 us=534356 MULTI: multi_create_instance called
Tue Sep 18 17:46:17 2018 us=534567 192.168.122.223:54272 Re-using SSL/TLS context
Tue Sep 18 17:46:17 2018 us=534614 192.168.122.223:54272 LZO compression initializing
Tue Sep 18 17:46:17 2018 us=534806 192.168.122.223:54272 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Tue Sep 18 17:46:17 2018 us=534863 192.168.122.223:54272 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Sep 18 17:46:17 2018 us=534945 192.168.122.223:54272 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Tue Sep 18 17:46:17 2018 us=534973 192.168.122.223:54272 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Tue Sep 18 17:46:17 2018 us=535065 192.168.122.223:54272 TLS: Initial packet from [AF_INET]192.168.122.223:54272, sid=09635563 e216bb99
Tue Sep 18 17:46:17 2018 us=558083 192.168.122.223:54272 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm
Tue Sep 18 17:46:17 2018 us=558234 192.168.122.223:54272 VERIFY KU OK
Tue Sep 18 17:46:17 2018 us=558255 192.168.122.223:54272 Validating certificate extended key usage
Tue Sep 18 17:46:17 2018 us=558266 192.168.122.223:54272 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Tue Sep 18 17:46:17 2018 us=558275 192.168.122.223:54272 VERIFY EKU OK
Tue Sep 18 17:46:17 2018 us=558282 192.168.122.223:54272 VERIFY OK: depth=0, CN=ovpn-client1
Tue Sep 18 17:46:17 2018 us=561418 192.168.122.223:54272 peer info: IV_VER=2.4.6
Tue Sep 18 17:46:17 2018 us=561465 192.168.122.223:54272 peer info: IV_PLAT=linux
Tue Sep 18 17:46:17 2018 us=561477 192.168.122.223:54272 peer info: IV_PROTO=2
Tue Sep 18 17:46:17 2018 us=561486 192.168.122.223:54272 peer info: IV_NCP=2
Tue Sep 18 17:46:17 2018 us=561494 192.168.122.223:54272 peer info: IV_LZ4=1
Tue Sep 18 17:46:17 2018 us=561502 192.168.122.223:54272 peer info: IV_LZ4v2=1
Tue Sep 18 17:46:17 2018 us=561510 192.168.122.223:54272 peer info: IV_LZO=1
Tue Sep 18 17:46:17 2018 us=561519 192.168.122.223:54272 peer info: IV_COMP_STUB=1
Tue Sep 18 17:46:17 2018 us=561538 192.168.122.223:54272 peer info: IV_COMP_STUBv2=1
Tue Sep 18 17:46:17 2018 us=561547 192.168.122.223:54272 peer info: IV_TCPNL=1
Tue Sep 18 17:46:17 2018 us=582461 192.168.122.223:54272 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Sep 18 17:46:17 2018 us=582524 192.168.122.223:54272 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Tue Sep 18 17:46:17 2018 us=582571 192.168.122.223:54272 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Sep 18 17:46:17 2018 us=583059 192.168.122.223:54272 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Sep 18 17:46:17 2018 us=583119 192.168.122.223:54272 [ovpn-client1] Peer Connection Initiated with [AF_INET]192.168.122.223:54272
Tue Sep 18 17:46:18 2018 us=806322 192.168.122.223:54272 PUSH: Received control message: 'PUSH_REQUEST'
Tue Sep 18 17:46:18 2018 us=806438 192.168.122.223:54272 Delayed exit in 5 seconds
Tue Sep 18 17:46:18 2018 us=806484 192.168.122.223:54272 SENT CONTROL [ovpn-client1]: 'AUTH_FAILED' (status=1)
Tue Sep 18 17:46:24 2018 us=152743 192.168.122.223:54272 SIGTERM[soft,delayed-exit] received, client-instance exiting


--------------------------

However If I change the ldap-auth config file  to

- uncomment :         BindDN                dc=morgan,dc=kvm
- change : TLSEnable ->  to NO

This is the openvpn server output  - I see "LDAP bind failed: Inappropriate authentication"

----------------
Tue Sep 18 17:49:06 2018 us=496975 MULTI: multi_create_instance called
Tue Sep 18 17:49:06 2018 us=497229 192.168.122.223:34170 Re-using SSL/TLS context
Tue Sep 18 17:49:06 2018 us=497303 192.168.122.223:34170 LZO compression initializing
Tue Sep 18 17:49:06 2018 us=497506 192.168.122.223:34170 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ]
Tue Sep 18 17:49:06 2018 us=497578 192.168.122.223:34170 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Tue Sep 18 17:49:06 2018 us=497731 192.168.122.223:34170 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Tue Sep 18 17:49:06 2018 us=497782 192.168.122.223:34170 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Tue Sep 18 17:49:06 2018 us=497855 192.168.122.223:34170 TLS: Initial packet from [AF_INET]192.168.122.223:34170, sid=a5214c27 7611da04
Tue Sep 18 17:49:06 2018 us=526256 192.168.122.223:34170 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm
Tue Sep 18 17:49:06 2018 us=526469 192.168.122.223:34170 VERIFY KU OK
Tue Sep 18 17:49:06 2018 us=526498 192.168.122.223:34170 Validating certificate extended key usage
Tue Sep 18 17:49:06 2018 us=526514 192.168.122.223:34170 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Tue Sep 18 17:49:06 2018 us=526526 192.168.122.223:34170 VERIFY EKU OK
Tue Sep 18 17:49:06 2018 us=526538 192.168.122.223:34170 VERIFY OK: depth=0, CN=ovpn-client1
Tue Sep 18 17:49:06 2018 us=530464 192.168.122.223:34170 peer info: IV_VER=2.4.6
Tue Sep 18 17:49:06 2018 us=530517 192.168.122.223:34170 peer info: IV_PLAT=linux
Tue Sep 18 17:49:06 2018 us=530531 192.168.122.223:34170 peer info: IV_PROTO=2
Tue Sep 18 17:49:06 2018 us=530542 192.168.122.223:34170 peer info: IV_NCP=2
Tue Sep 18 17:49:06 2018 us=530552 192.168.122.223:34170 peer info: IV_LZ4=1
Tue Sep 18 17:49:06 2018 us=530561 192.168.122.223:34170 peer info: IV_LZ4v2=1
Tue Sep 18 17:49:06 2018 us=530571 192.168.122.223:34170 peer info: IV_LZO=1
Tue Sep 18 17:49:06 2018 us=530581 192.168.122.223:34170 peer info: IV_COMP_STUB=1
Tue Sep 18 17:49:06 2018 us=530591 192.168.122.223:34170 peer info: IV_COMP_STUBv2=1
Tue Sep 18 17:49:06 2018 us=530601 192.168.122.223:34170 peer info: IV_TCPNL=1
LDAP bind failed: Inappropriate authentication
Unable to bind as dc=morgan,dc=kvm
LDAP connect failed.
Tue Sep 18 17:49:06 2018 us=533422 192.168.122.223:34170 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Sep 18 17:49:06 2018 us=533448 192.168.122.223:34170 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
Tue Sep 18 17:49:06 2018 us=533486 192.168.122.223:34170 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Sep 18 17:49:06 2018 us=533860 192.168.122.223:34170 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Sep 18 17:49:06 2018 us=533904 192.168.122.223:34170 [ovpn-client1] Peer Connection Initiated with [AF_INET]192.168.122.223:34170
Tue Sep 18 17:49:07 2018 us=545087 192.168.122.223:34170 PUSH: Received control message: 'PUSH_REQUEST'
Tue Sep 18 17:49:07 2018 us=545217 192.168.122.223:34170 Delayed exit in 5 seconds
Tue Sep 18 17:49:07 2018 us=545272 192.168.122.223:34170 SENT CONTROL [ovpn-client1]: 'AUTH_FAILED' (status=1)
Tue Sep 18 17:49:12 2018 us=665108 192.168.122.223:34170 SIGTERM[soft,delayed-exit] received, client-instance exiting

---------------------------

Also on the IPA server (using the above method

-----------------
18/Sep/2018:17:49:05.953156501 +0100] conn=689 fd=112 slot=112 connection from 192.168.122.15 to 192.168.122.20
[18/Sep/2018:17:49:05.953488573 +0100] conn=689 op=0 BIND dn="dc=morgan,dc=kvm" method=128 version=3
[18/Sep/2018:17:49:05.953862643 +0100] conn=689 op=0 RESULT err=48 tag=97 nentries=0 etime=0.0000670081
[18/Sep/2018:17:49:05.954298020 +0100] conn=689 op=1 UNBIND
[18/Sep/2018:17:49:05.954317117 +0100] conn=689 op=1 fd=112 closed - U1
------------------

Can anyone help me here - i.e do I use TLSEnable?, do I set a BINDDN ? and Do i need the password ? And is my BASEDN set correctly ?

Any help would be welcomed....

using auth-pam it works (but not with OTP)



On Mon, 17 Sep 2018 at 18:37, Rob Crittenden <rcritten@redhat.com> wrote:
Morgan Cox via FreeIPA-users wrote:
> Hi.
>
> I have been trying to integrate openvpn with Freeipa, general
> integration (i.e using IPA user password) works fine, my issue is
> connecting it with 2FA (OTP), without writing an external script it is
> not possible to use OTP + IPA + openvpn as there is no mechanism to ask
> for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor
> - reason are explained in this reddit post ->
>
> https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_token_not_working/
>
> I was advised however that openvpn-auth-ldap can be used as its setup so
> you can input PASS+OTPTOKEN as the password field,
>
> What I do not understand what to enter in the
> /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I
> need using ldapsearch with similar syntax to
>
> # ldapsearch -ZZ -W -L ldap://ipa.example.org <http://ipa.example.org>
> -b dc=example,dc=org -D uid=testuser,cn=users,cn=accounts,dc=example,dc=org

TLSEnable is enabled by default on IPA systems in
/etc/openldap/ldap.conf. The first -Z means enable startTLS which is
already enabled. The second -Z means quit on failure which it does
because startTLS is already enabled.

> However I found using this syntax I just got the error
>
> " ldap_start_tls: Operations error (1), additional info: SSL connection
> already established"
>
> I have found working commands to query LDAP such as
>
> # ldapsearch   -LL  -Y GSSAPI

It is more or less equivalent, using GSSAPI and your current Kerberos
credentials rather than TLS and simple bind.

> However I am really not sure what info I need to get.

I don't know what you need for this either.

>
> The config for auth-ldap is at the end of the message, the only parts I
> think I know are
> (btw the ipa server is called ipa1.morgan.kvm)
>
> ---
> URL ldap://ipa1.morgan.kvm
> TLSCACertFile   /etc/ipa/ca.crt
> ---
>
> (this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc

The basedn for what, users? You can get the basedn for the server from
/etc/ipa/default.conf

The container for users is cn=users,cn=accounts,$BASEDN

Not sure which cert paths you need either but the CA cert chain is in
/etc/ipa/ca.crt as you seem to have configured.

rob

>
> Can anyone help ?
>
> The config is below
>
> --------------
> <LDAP>
>         # LDAP server URL
>         URL             ldap://ipa1.morgan.kvm
>
>         # Bind DN (If your LDAP server doesn't support anonymous binds)
>         # BindDN                uid=Manager,ou=People,dc=example,dc=com
>
>         # Bind Password
>         # Password      SecretPassword
>
>         # Network timeout (in seconds)
>         Timeout         15
>
>         # Enable Start TLS
>         TLSEnable       yes
>
>         # Follow LDAP Referrals (anonymously)
>         FollowReferrals yes
>
>         # TLS CA Certificate File
>         TLSCACertFile   /etc/ipa/ca.crt
>
>         # TLS CA Certificate Directory
>         TLSCACertDir    /etc/ssl/certs
>
>         # Client Certificate and key
>         # If TLS client authentication is required
>         TLSCertFile     /usr/local/etc/ssl/client-cert.pem
>         TLSKeyFile      /usr/local/etc/ssl/client-key.pem
>
>         # Cipher Suite
>         # The defaults are usually fine here
>         # TLSCipherSuite        ALL:!ADH:@STRENGTH
> </LDAP>
>
> <Authorization>
>         # Base DN
>         BaseDN          "ou=People,dc=example,dc=com"
>
>         # User Search Filter
>         SearchFilter    "(&(uid=%u)(accountStatus=active))"
>
>         # Require Group Membership
>         RequireGroup    false
>
>         # Add non-group members to a PF table (disabled)
>         #PFTable        ips_vpn_users
>
>         <Group>
>                 BaseDN          "ou=Groups,dc=example,dc=com"
>                 SearchFilter    "(|(cn=developers)(cn=artists))"
>                 MemberAttribute uniqueMember
>                 # Add group members to a PF table (disabled)
>                 #PFTable        ips_vpn_eng
>         </Group>
> </Authorization>
>
> --------------
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>