Skip to content

[PATCH] RFC2307 group support #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GoogleCodeExporter opened this issue Jun 21, 2015 · 30 comments
Open

[PATCH] RFC2307 group support #7

GoogleCodeExporter opened this issue Jun 21, 2015 · 30 comments
Labels
auto-migrated Priority-Medium Type-Enhancement

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?

testplugin /etc/openvpn/rusers.auth
Username: shin.andrey
Password: 
Authorization Failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-connect failed!
No matching LDAP group found for user DN
"cn=shin.andrey,ou=users,dc=XXX,dc=local", and group membership is required.
client-disconnect failed!

What is the expected output? What do you see instead?

I see that the authorization was successful, but getting that fail

What version of the product are you using? On what operating system?

OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 20 2008
auth-ldap-2.0.3
DISTRIB_DESCRIPTION="Ubuntu 8.04"
Linux dir 2.6.24-16-server

Please provide any additional information below.

<LDAP> 
        URL             ldap://dir   
        BindDN          cn=admin,dc=XXX,dc=local      
        Password        pass
        Timeout         15
</LDAP>
<Authorization>    
        BaseDN          "dc=XXX,dc=local"     
        SearchFilter     "(&(objectClass=posixAccount)(cn=%u))"   
        RequireGroup    true      
        <Group>
                BaseDN              "ou=groups,dc=XXX,dc=local"
                SearchFilter        "(cn=Jabber)"
                MemberAttribute     memberUid       
        </Group>
</Authorization>

ldapsearch -x -b "ou=groups,dc=XXX,dc=local" -D "cn=admin,dc=XXX,dc=local"
-W "(&(cn=Jabber)(memberUid=shin.andrey))"
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=XXX,dc=local> with scope subtree
# filter: (&(cn=Jabber)(memberUid=shin.andrey))
# requesting: ALL
#

# Jabber, groups, XXX.local
dn: cn=Jabber,ou=groups,dc=XXX,dc=local
objectClass: posixGroup
objectClass: top
cn: Jabber
gidNumber: 1006
memberUid: shin.andrey

Original issue reported on code.google.com by louk...@gmail.com on 6 Dec 2008 at 9:34
This was referenced Jun 21, 2015
Closed
Closed
fredericve pushed a commit to fredericve/openvpn-auth-ldap that referenced this issue Aug 27, 2015
support for RFC2307 groups - convert patch in threerings#7

Unverified

This user has not yet uploaded their public signing key.
GPG key ID: 136F30F901A2231D
Learn about vigilant mode
4c90dde
@fredericve fredericve mentioned this issue Aug 27, 2015
Merged
@mkhon mkhon mentioned this issue Jul 27, 2017
Closed
@q5616417
Copy link

Hello,
or I am too silly or it still does not work on debian stretch. I used the ubuntu-build-script which passes without error. But the ubuntu-package-script gives "Invalid package configuration: Cannot package the path '/tmp/openvpn-auth-ldap-build/1', does it exist? {:level=>:error}"
./configure finishes with an error becous it can't find openvpn sources. I got them from http://deb.debian.org/debian/pool/main/o/openvpn/openvpn_2.4.0.orig.tar.gz and started ./configure --with-openvpn=../openvpn-2.4.0/src/ but still it says "Could not locate a working openvpn source tree."
Nevertheless, the ubuntu-build-script obviously creates a src/openvpn-auth-ldap.so which I copied to /usr/local/lib. I made the appropriate changes in the auth-ldap.conf:

RequireGroup true

RFC2307bis true
BaseDN "ou=Groups,dc=mydomain,dc=tld"
SearchFilter "(|(cn=VPN-Users))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng

And in the server.conf:
plugin "/usr/local/lib/openvpn-auth-ldap.so" "/etc/openvpn/auth/auth-ldap.conf"

But I still get authentication failures, that I don't get if "RequireGroup false" is set.
I verified that the user I take for login is in VPN-Users group.

So, for my comfort it would be great to have a working .deb-package for Debian stable. If this is not possible, any advice that helps me to authenticate against my "VPN-Users" group would be appreciated.

Thank you in advance

Thomas

@k0ste
Copy link

k0ste commented May 14, 2019

So, for my comfort it would be great to have a working .deb-package for Debian stable. If this is not possible, any advice that helps me to authenticate against my "VPN-Users" group would be appreciated.

https://packages.debian.org/buster/openvpn-auth-ldap

@q5616417
Copy link

Hello k0ste,
thank you very much for your advice. I installed the debian-testing-package (after satisfying the dependencies) but still it did not want to work. I don't know why. But I found a workaround for me: I am filtering the group in the User SearchFIlter:

# User Search Filter SearchFilter "(&(uid=%u)(objectClass=person)(memberof=cn=vpnusergroup,ou=groups,dc=mydomain,dc=tld))"

Now I'm curious if this would work with the version of openvpn-ldap-auth in the debian-stable-package, too. Trying it out.

Best regards

Thomas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@k0ste @GoogleCodeExporter @q5616417