HOWTO - OpenVPN + LDAP authentication in pfSense 1.2.2



  • Here’s a quick and dirty guide on getting OpenVPN to authenticate against LDAP in pfSense 1.2.2. This may not work for every install, but it worked on a bare install for me. I suggest you have a functional OpenVPN server instance before making these changes:

    On the pfsense box:

    1. User pkg_add -r to install the following packages: openvpn-auth-ldap, gcc43, gmake, texinfo
        - texinfo and gmake are not explicitly needed for this install, but some FreebSD 7.0 ports fail on  installation without them

    2. Under VPN -> OpenVPN -> Server, add plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/auth-ldap.conf to the Custom Options field of the server instance which will be tying to LDAP.

    3. Paste the openvpn-auth-ldap configuration template from http://code.google.com/p/openvpn-auth-ldap/wiki/Configuration into /usr/local/etc/opencpn-auth-ldap.conf (or whichever location you would like to use, just make sure that the line in your openvpn Custom Options from step 2 matches this location). Edit this configuration to your liking.

    4. Symlink /usr/local/lib/gcc-4.3.0/libobjc.so.2 to /usr/local/lib/libobjc.so.3

    5. Restart the OpenVPN service with killall -HUP openvpn, or by clicking Save on the WebGUI configuration page.

    On clients

    The only change that need to be made on connecting client configurations is the addition of the auth-user-pass directive. Upon connecting, the client will ask for a username and password which will be forwarded to the server for authentication, and the server will be checking those supplied credentials against the LDAP server specified in the openvpn-auth-ldap configuration file.

    ** NOTES **

    If anyone has a clean way to solve the missing libobjc.so.3 library, throw it up here. If that gets solved, then this whole setup could be included as a viable option in the normal pfSense releases.



  • stickied 🙂

    To point 2:
    2. Edit the oppenvpn_server conf in /var/etc for the instance you want to auth against LDAP, adding the line: plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf

    Couldnt you add this line to the “custom commands” box?



  • A fine point 🙂 Edited to reflect that.



  • I am having some problems with the installation on pfSense 1.2.2

    I have done the following from SSH:

    #setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/
    #pkg_add -r openvpn-auth-ldap
    #pkg_add -r gcc43
    #pkg_add -r gmake
    #pkg_add -r texinfo
    #ln -s /usr/local/lib/gcc-4.3.4/libobjc.so.2 /usr/local/lib/libobjc.so.3

    Created the file ‘/usr/local/etc/openvpn-auth-ldap.conf’

    Added the following under ‘Custom options’ from within the WebGUI and OpenVPN Server:

    plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf

    However, I get the following error:
    Apr 30 12:32:17 openvpn[6946]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Nov 9 2008
    Apr 30 12:32:17 openvpn[6946]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-ldap.so: Shared object “libgssapi.so.9” not found, required by “libldap-2.4.so.6”: Invalid argument (errno=22)
    Apr 30 12:32:17 openvpn[6946]: Exiting



  • I am experiencing the exact problem above with libgssapi.so.9 not found.

    Has anyone resolved this issue?



  • I did not manage to get it working with 1.2.2 so I tried with the newly released 1.2.3-RC1 and everything is working great now  🙂

    1.2.3-RC1 have been very stable for me, have not been down ones since I installed it on two locations. They are both connected with ipsec vpn and one of them have OpenVPN with around 25 users.

    The number One Firewall …



  • I’m guessing this is not possible on embedded version correct?



  • On the embedded version, everything is possible that is availlable on the full version.
    The only difference is, that the packages manager is disabled and the filesystem is mounted read only.



  • by having the clients type in a user name and password would this give them more privileges like if they were physically on the network eg if i am just a domain user i would have basic privileges so i wouldn’t have access to files that can be accessed by administrators



  • If anyone is intrested, the auth-ldap.conf code below should work with Active Directory.
    A few things were modified from the code on the OP link, so backup your current conf file if you have one.
    I did a quick test against a SBS2003 server.
    I added a Security group Called “OpenVPNUsers” and added users to that group for OpenVPN Access.
    So, the user will need to be part of that group for OpenVPN Access
    I need to test a bit more when i am off site next…but it seemed to work fine first time around.

    Somewhere in another thread it was noted that people are using the administrator account for AD Lookups, if you are, please change to a non admin account.
    I would also change your administrator password if you have been using it for look ups

    You should also add this line to your clients if you do not want your passwords cached on the client side.
    auth-nocache

    KEY Fields are in BOLD: Make sure you add your info for the URL, cn=BindUser, BindUserPassWord, and SearchFilter for the group name

    <ldap># LDAP server URL
           URL             ldap://Enter Your DC IP /Hostname here

    # Bind DN (If your LDAP server doesn’t support anonymous binds)
           BindDN         cn=BindUser,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local

    # Bind Password
           Password      BindUserPassWord

    # Network timeout (in seconds)
           Timeout         15

    # Enable Start TLS
           # TLSEnable       no

    # Follow LDAP Referrals (anonymously)
           FollowReferrals no

    # TLS CA Certificate File
           TLSCACertFile   /usr/local/etc/ssl/ca.pem

    # TLS CA Certificate Directory
           TLSCACertDir    /etc/ssl/certs

    # Client Certificate and key
           # If TLS client authentication is required
           TLSCertFile     /usr/local/etc/ssl/client-cert.pem
           TLSKeyFile      /usr/local/etc/ssl/client-key.pem

    # Cipher Suite
           # The defaults are usually fine here
           # TLSCipherSuite        ALL:!ADH:@STRENGTH</ldap>

    <authorization># Base DN
           BaseDN          “OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local

    # User Search Filter
           SearchFilter    “sAMAccountName=%u”

    # Require Group Membership
           RequireGroup    true

    # Add non-group members to a PF table (disabled)
           #PFTable        ips_vpn_users

    <group>BaseDN          “OU=Security Groups,OU=MyBusiness,DC=domain,DC=local”
                  SearchFilter    “CN=OpenVPNUsers”
                   MemberAttribute Member
                   # Add group members to a PF table (disabled)
                   #PFTable        ips_vpn_eng</group></authorization>

    Tested with PFSense 1.2.3 RC3



  • It would seem that in 1.2.3 Release, the gcc43 package lacks the required libobjc.so.2.

    # pkg_add -r gcc42
    # find / -name "*libobjc*"
    /usr/local/lib/gcc-4.2.5/libobjc.so.2
    /usr/local/lib/gcc-4.2.5/libobjc.so
    /usr/local/lib/gcc-4.2.5/libobjc.a
    # ln -s /usr/local/lib/gcc-4.2.5/libobjc.so.2 /usr/local/lib/libobjc.so.3
    
    # pkg_add -r openvpn-auth-ldap
    

    This also avoids the “libgssapi.so.9 not found” issue some other methods seem to produce.



  • Hi all,
    Ive got a solution to this issue with the libgssapi problems. Ill post it back later tonight after i get a chance to write it up.



  • eureka,
    Any news ion that solution, I have seen it a few times now, with no reason as to why it may or may not happen.



  • Here’s the simple solution.
    Install the following package. (from pfsense ssh/console)
    pkg_add -r heimdal
    Fix the link on your system.  (from pfsense ssh/console)
    ln -s /usr/local/lib/libgssapi.so.2 /usr/local/lib/libgssapi.so.9

    Restart your OpenVPN server. Make sure your connection to your LDAP server is setup correctly.
    I have this working now in a soon-to-be production system connecting to a currently production ldaps system.

    Explanation.
    For whatever reason the libgssapi package is not already installed and is not getting installed on most systems using the “default” pfsense repositories set on your system. I did not want to change my repos as it can mess up dependencies for other packages or things you have installed or will install later. This solution will work on a full default-stock pfsense install of 1.2.3 stable.

    Full start-to-finish setup.
    http://fusionnetwork.us/index.php/component/content/article/15-general-tutorials/31-howto-setup-openvpn-with-ldap-integration-on-pfsense-123



  • I try to make my current openvpn add a ldap authenticate.

    For testing, i download a vmware image of 1.2.3 version of pfsense, configure a similar openvpn and work OK.

    Follow the steps in the eureka link (http://fusionnetwork.us/index.php/component/content/article/15-general-tutorials/31-howto-setup-openvpn-with-ldap-integration-on-pfsense-123), and work ok without the line of plugin.

    If i put the plugin line

    plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf
    

    then openvpn doesnt start:

    Apr 19 13:31:05 	openvpn[1135]: OpenVPN 2.0.6 i386-portbld-freebsd7.2 [SSL] [LZO] built on Apr 16 2009
    Apr 19 13:31:03 	openvpn[428]: SIGTERM[hard,] received, process exiting
    Apr 19 13:31:03 	openvpn[428]: /etc/rc.filter_configure tun0 1500 1542 192.168.7.1 192.168.7.2 init
    Apr 19 13:31:03 	openvpn[428]: event_wait : Interrupted system call (code=4)
    

    Dont understan what happend, but for try only, change the openvpn-auth-ldap.so to openvpn-auth-pam.so and the openvpn start, but not function the authenticate.

    Install all pkg that eureka says. Someone can make function openvpn with ldap with this tutorial?
    Why openvpn cant start?

    Thanks for your help.

    Regards.



  • Thats an interesting error!
    Try reinstalling openvpn. That may solve the issue.

    From Command line run the following:
    pkg_add -r openvpn

    That should force a reinstall of the openvpn package and its needed packages… Let me know if this fixes things for you.
    If not i can try to create a vhost image for you to check out. It could be something setup in the vhost image you are using possibly.

    -E



  • eureka, thanks for your answer…

    I try what you suggest, but cannnot reinstall openvpn

    # pkg_add -r openvpn
    Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
    pkg_add: package 'openvpn-2.0.6_9' or its older version already installed
    #                                                                               
    

    i try force reinstall, but always tell me the same

    # pkg_add -F -r openvpn
    Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
    pkg_add: package 'openvpn-2.0.6_9' or its older version already installed (ignored)
    

    Btw, try to connect the client again if something changes, but cannot…

    Can we try with the vhost you tell me?

    Thanks in advance.

    Regards.



  • Ill see what I can do to get a vhost setup for you to play with.
    Do you prefer vmware or xen?

    -E

    @federicoha:

    eureka, thanks for your answer…

    I try what you suggest, but cannnot reinstall openvpn

    # pkg_add -r openvpn
    Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
    pkg_add: package 'openvpn-2.0.6_9' or its older version already installed
    #                                                                               
    

    i try force reinstall, but always tell me the same

    # pkg_add -F -r openvpn
    Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7.2-release/Latest/openvpn.tbz... Done.
    pkg_add: package 'openvpn-2.0.6_9' or its older version already installed (ignored)
    

    Btw, try to connect the client again if something changes, but cannot…

    Can we try with the vhost you tell me?

    Thanks in advance.

    Regards.



  • Vmware please if you can.

    Thanks.



  • Hi,
    Ive uploaded a virtual appliance of this here.

    www.fusionnetwork.us/tutorials/uploads/pfsense/PfSense_withOpenVPN_LDAP.zip

    This should work once you configure the ldap side of things correctly. If you still are having problems please post back. Also… Sorry this took so long to upload… Work is crazy o.0

    -E



  • Eureka, thanks for your time…

    I download your appliance and work ok, only have problem right now with the connection to AD, but is my problem now 🙂

    When i get to work, i let you know…

    Thanks for your help again…



  • @federicoha:

    Eureka, thanks for your time…

    I download your appliance and work ok, only have problem right now with the connection to AD, but is my problem now 🙂

    When i get to work, i let you know…

    Thanks for your help again…

    Glad to hear you got it working. If you keep having problems with the AD setup let me know. I have a friend that has to work with AD a lot and might be useful 😃

    -E



  • well :):)

    If your friend can help me, i really appreciate

    He need the error in system log?

    Regards



  • @federicoha:

    well :):)

    If your friend can help me, i really appreciate

    He need the error in system log?

    Regards

    Yeah, Any errors you have either on PF or in AD would be great!
    -E



  • Thanks a lot for this. I was able to get it working.
    However I have observed some strange behavior,

    Setup
    –-----

    • My setup has pfsense 1.2.3 & OpenDS 2.2 as ldap provider.
    • In ldap, I have base DN as “dc=baseorg,dc=com”.
    • There are two sub domains - “dc=orgone,dc=baseorg,dc=com”, “dc=orgtwo,dc=baseorg,dc=com”.
    • Theres a user in each subdomain called “testuser”.
    • BaseDN in authorization section of the config is set to “dc=baseorg,dc=com”.
    • RequireGroup in authorization section of the config file is set to false

    Behavior - 1
    –-------------
    Test: If I try to authenticate with testuser@baseorg.com
    Expected Behavior - Ideally auth should fail as the user belongs to one of the sub-domain.
    Actual Behavior - User gets authenticated successfully.
    Question - Is this an expected behavior?

    Behavior - 2
    –-------------
    Test: If I try to authenticate with junk values whatever@abcd.com
    Expected Behavior - Ideally auth should fail with an error message for incorrect username or domain.
    Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP DN “cn=testuser,dc=orgtwo,dc=baseorg,dc=com”.
    Question - How come “cn=testuser,dc=orgtwo,dc=baseorg,dc=com” is referred when the values are junk?



  • @chetansaundankar:

    Thanks a lot for this. I was able to get it working.
    However I have observed some strange behavior,

    Setup
    –-----

    • My setup has pfsense 1.2.3 & OpenDS 2.2 as ldap provider.
    • In ldap, I have base DN as “dc=baseorg,dc=com”.
    • There are two sub domains - “dc=orgone,dc=baseorg,dc=com”, “dc=orgtwo,dc=baseorg,dc=com”.
    • Theres a user in each subdomain called “testuser”.
    • BaseDN in authorization section of the config is set to “dc=baseorg,dc=com”.
    • RequireGroup in authorization section of the config file is set to false

    Behavior - 1
    –-------------
    Test: If I try to authenticate with testuser@baseorg.com
    Expected Behavior - Ideally auth should fail as the user belongs to one of the sub-domain.
    Actual Behavior - User gets authenticated successfully.
    Question - Is this an expected behavior?

    Behavior - 2
    –-------------
    Test: If I try to authenticate with junk values whatever@abcd.com
    Expected Behavior - Ideally auth should fail with an error message for incorrect username or domain.
    Actual Behavior - A line in openvpn log - Incorrect password supplied for LDAP DN “cn=testuser,dc=orgtwo,dc=baseorg,dc=com”.
    Question - How come “cn=testuser,dc=orgtwo,dc=baseorg,dc=com” is referred when the values are junk?

    Hi!.
    1. With the current setup that is the expected behavior. You have to modify the ldap strings to make it exclude all other sections when running a lookup. I may have this setup somewhere. Ill see if ive got an example.
    2. I know it seems annoying that it is referencing the LDAP dn when a user’s auth fails but I think that has more to do with the plugin used. Its referencing the DN as it is possible to have more than one DN. This way if you had users in different groups/areas you are trying to auth them from it would reference the correct location of the user to make it easier to track down.



  • Im not sure how valid my example is….this is from a system that i was at one time running LDAP auth for VPN.

    Look at this section of your /usr/local/etc/openvpn-auth-ldap.conf file

     <authorization># Base DN
            BaseDN          "ou=YourDomain,dc=hjs,dc=local"
    
            # User Search Filter
            SearchFilter    "(&(uid=%u))"
    
            # Require Group Membership
            RequireGroup    false
    
            # Add non-group members to a PF table (disabled)
            #PFTable        ips_vpn_users
    
            <group>BaseDN          "ou=YourDomain,dc=hjs,dc=local"
                    SearchFilter    "ou=users"
                    MemberAttribute uniqueMember
                    # Add group members to a PF table (disabled)
                    #PFTable        ips_vpn_eng</group></authorization> 
    
    

    Take note of the:

    # User Search Filter
            SearchFilter    "(&(uid=%u))"
    and
            SearchFilter    “ou=users”

    Sections… Make sure this is a filter that will work for the group you want to authenticate users from.

    I hope this helps. If you are still having problems let me know and I will see if i can dig up any other examples.



  • @eureka, Thanks for the suggestions.
    I will try out your suggestions & get back to you with the results.

    Before I try out though, I would like to tell you that sub-domain to search into is not known @ deployment time. Sub-domains & Users in that sub-domain are getting added dynamically, there could be hundreds of sub-domains in one root domain so fixing group BaseDN wont be possible. I had commented out <group>…</group> section completely when I had tested.

    Also, I would like to know what exactly “%u” does in filter (&(uid=%u)).


Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy