The pfSense Store

Author Topic: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2  (Read 39683 times)

0 Members and 1 Guest are viewing this topic.

Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #15 on: May 07, 2010, 11:15:11 am »
Thats an interesting error!
Try reinstalling openvpn. That may solve the issue.

From Command line run the following:
pkg_add -r openvpn

That should force a reinstall of the openvpn package and its needed packages... Let me know if this fixes things for you.
If not i can try to create a vhost image for you to check out. It could be something setup in the vhost image you are using possibly.

-E

Offline federicoha

  • Jr. Member
  • **
  • Posts: 40
    • View Profile
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #16 on: May 10, 2010, 08:51:57 am »
eureka, thanks for your answer..

I try what you suggest, but cannnot reinstall openvpn

Code: [Select]
# pkg_add -r openvpn
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
pkg_add: package 'openvpn-2.0.6_9' or its older version already installed
#                                                                               

i try force reinstall, but always tell me the same

Code: [Select]
# pkg_add -F -r openvpn
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
pkg_add: package 'openvpn-2.0.6_9' or its older version already installed (ignored)

Btw, try to connect the client again if something changes, but cannot...

Can we try with the vhost you tell me?

Thanks in advance.

Regards.

Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #17 on: May 10, 2010, 09:52:14 am »
Ill see what I can do to get a vhost setup for you to play with.
Do you prefer vmware or xen?

-E

eureka, thanks for your answer..

I try what you suggest, but cannnot reinstall openvpn

Code: [Select]
# pkg_add -r openvpn
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
pkg_add: package 'openvpn-2.0.6_9' or its older version already installed
#                                                                               

i try force reinstall, but always tell me the same

Code: [Select]
# pkg_add -F -r openvpn
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
pkg_add: package 'openvpn-2.0.6_9' or its older version already installed (ignored)

Btw, try to connect the client again if something changes, but cannot...

Can we try with the vhost you tell me?

Thanks in advance.

Regards.

Offline federicoha

  • Jr. Member
  • **
  • Posts: 40
    • View Profile
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #18 on: May 10, 2010, 12:16:40 pm »
Vmware please if you can.

Thanks.

Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #19 on: July 01, 2010, 12:22:03 pm »
Hi,
 Ive uploaded a virtual appliance of this here.

www.fusionnetwork.us/tutorials/uploads/pfsense/PfSense_withOpenVPN_LDAP.zip

This should work once you configure the ldap side of things correctly. If you still are having problems please post back. Also... Sorry this took so long to upload... Work is crazy o.0

-E

Offline federicoha

  • Jr. Member
  • **
  • Posts: 40
    • View Profile
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #20 on: July 21, 2010, 09:48:18 am »
Eureka, thanks for your time...

I download your appliance and work ok, only have problem right now with the connection to AD, but is my problem now :)

When i get to work, i let you know...

Thanks for your help again...

Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #21 on: July 21, 2010, 10:18:02 am »
Eureka, thanks for your time...

I download your appliance and work ok, only have problem right now with the connection to AD, but is my problem now :)

When i get to work, i let you know...

Thanks for your help again...

Glad to hear you got it working. If you keep having problems with the AD setup let me know. I have a friend that has to work with AD a lot and might be useful =)

-E

Offline federicoha

  • Jr. Member
  • **
  • Posts: 40
    • View Profile
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #22 on: July 22, 2010, 10:41:54 am »
well :):)

If your friend can help me, i really appreciate

He need the error in system log?

Regards

Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #23 on: July 22, 2010, 11:00:13 am »
well :):)

If your friend can help me, i really appreciate

He need the error in system log?

Regards

Yeah, Any errors you have either on PF or in AD would be great!
-E

Offline chetansaundankar

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #24 on: November 26, 2010, 11:20:35 am »
Thanks a lot for this. I was able to get it working.
However I have observed some strange behavior,

Setup
-------
- My setup has pfsense 1.2.3 & OpenDS 2.2 as ldap provider.
- In ldap, I have base DN as "dc=baseorg,dc=com".
- There are two sub domains - "dc=orgone,dc=baseorg,dc=com", "dc=orgtwo,dc=baseorg,dc=com".
- Theres a user in each subdomain called "testuser".
- BaseDN in authorization section of the config is set to "dc=baseorg,dc=com".
- RequireGroup in authorization section of the config file is set to false

Behavior - 1
---------------
Test: If I try to authenticate with testuser@baseorg.com
Expected Behavior - Ideally auth should fail as the user belongs to one of the sub-domain.
Actual Behavior - User gets authenticated successfully.
Question - Is this an expected behavior?


Behavior - 2
---------------
Test: If I try to authenticate with junk values whatever@abcd.com
Expected Behavior - Ideally auth should fail with an error message for incorrect username or domain.
Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP DN "cn=testuser,dc=orgtwo,dc=baseorg,dc=com".
Question - How come "cn=testuser,dc=orgtwo,dc=baseorg,dc=com" is referred when the values are junk?


Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #25 on: November 26, 2010, 12:49:38 pm »
Thanks a lot for this. I was able to get it working.
However I have observed some strange behavior,

Setup
-------
- My setup has pfsense 1.2.3 & OpenDS 2.2 as ldap provider.
- In ldap, I have base DN as "dc=baseorg,dc=com".
- There are two sub domains - "dc=orgone,dc=baseorg,dc=com", "dc=orgtwo,dc=baseorg,dc=com".
- Theres a user in each subdomain called "testuser".
- BaseDN in authorization section of the config is set to "dc=baseorg,dc=com".
- RequireGroup in authorization section of the config file is set to false

Behavior - 1
---------------
Test: If I try to authenticate with testuser@baseorg.com
Expected Behavior - Ideally auth should fail as the user belongs to one of the sub-domain.
Actual Behavior - User gets authenticated successfully.
Question - Is this an expected behavior?


Behavior - 2
---------------
Test: If I try to authenticate with junk values whatever@abcd.com
Expected Behavior - Ideally auth should fail with an error message for incorrect username or domain.
Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP DN "cn=testuser,dc=orgtwo,dc=baseorg,dc=com".
Question - How come "cn=testuser,dc=orgtwo,dc=baseorg,dc=com" is referred when the values are junk?





Hi!.
1. With the current setup that is the expected behavior. You have to modify the ldap strings to make it exclude all other sections when running a lookup. I may have this setup somewhere. Ill see if ive got an example.
2. I know it seems annoying that it is referencing the LDAP dn when a user's auth fails but I think that has more to do with the plugin used. Its referencing the DN as it is possible to have more than one DN. This way if you had users in different groups/areas you are trying to auth them from it would reference the correct location of the user to make it easier to track down.

Offline eureka

  • Jr. Member
  • **
  • Posts: 46
    • View Profile
    • The Fusion Network
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #26 on: November 26, 2010, 12:54:49 pm »
Im not sure how valid my example is....this is from a system that i was at one time running LDAP auth for VPN.

Look at this section of your /usr/local/etc/openvpn-auth-ldap.conf file


Code: [Select]
<Authorization>
        # Base DN
        BaseDN          "ou=YourDomain,dc=hjs,dc=local"

        # User Search Filter
        SearchFilter    "(&(uid=%u))"

        # Require Group Membership
        RequireGroup    false

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "ou=YourDomain,dc=hjs,dc=local"
                SearchFilter    "ou=users"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

Take note of the:

        # User Search Filter
        SearchFilter    "(&(uid=%u))"
and
        SearchFilter    "ou=users"

Sections.. Make sure this is a filter that will work for the group you want to authenticate users from.

I hope this helps. If you are still having problems let me know and I will see if i can dig up any other examples.

Offline chetansaundankar

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2
« Reply #27 on: November 28, 2010, 11:49:47 pm »
@eureka, Thanks for the suggestions.
I will try out your suggestions & get back to you with the results.

Before I try out though, I would like to tell you that sub-domain to search into is not known @ deployment time. Sub-domains & Users in that sub-domain are getting added dynamically, there could be hundreds of sub-domains in one root domain so fixing group BaseDN wont be possible. I had commented out <Group>...</Group> section completely when I had tested.

Also, I would like to know what exactly "%u" does in filter (&(uid=%u)).

« Last Edit: November 29, 2010, 12:12:55 am by chetansaundankar »