Openvpn + ldap can't work

federicoha

I read all post in forum to make mi openvpn authenticate with ldap (AD W2K3).

• pfSense1.2.3-PRERELEASE-TESTING-VERSION vmware appliance
• Openvpn working (tested and connect ok without problem)

Ip of pfSense: 192.168.168.143
Ip of AD: 192.168.0.1

I follow the next steps (http://forum.pfsense.org/index.php/topic,14946.0.html):

#setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/
#pkg_add -r openvpn-auth-ldap (install ok)
#pkg_add -r gcc43 (warnings with install)
#pkg_add -r gmake (say that exist a lower version)
#pkg_add -r texinfo (say that exist a lower version)

This symlink not work for me, well let me create, but is incorrect because no exist gcc-4.3.4:

#ln -s /usr/local/lib/gcc-4.3.4/libobjc.so.2 /usr/local/lib/libobjc.so.3

i have to modified to:

#ln -s /usr/local/lib/gcc43/libobjc.so.2 /usr/local/lib/libobjc.so.3

Then, i create the /usr/local/etc/openvpn-auth-ldap.conf and put my conf in this

 <ldap># LDAP server URL
        URL             ldap://ar.local:389

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        BindDN         CN=userTest,CN=Users,DC=ar,DC=local

        # Bind Password
        Password      userTestPassword

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        # TLSEnable       no

        # Follow LDAP Referrals (anonymously)
        FollowReferrals no

        # TLS CA Certificate File
        TLSCACertFile   /usr/local/etc/ssl/ca.pem

        # TLS CA Certificate Directory
        TLSCACertDir    /etc/ssl/certs

        # Client Certificate and key
        # If TLS client authentication is required
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem

        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite        ALL:!ADH:@STRENGTH</ldap> 

 <authorization># Base DN
        BaseDN          "CN=Users,DC=ar,DC=local"

        # User Search Filter
        SearchFilter    "sAMAccountName=%u"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <group>BaseDN          "CN=Users,DC=ar,DC=local"
               SearchFilter    "CN=Users"
                MemberAttribute Member
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng</group></authorization> 

Finally, put this line in openvpn server:

plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf

Save configuration, and see the log

Nov 19 11:48:44 	openvpn[2151]: OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Feb 10 2009

I guess the vpn start correct.

Client cfg:

float
port 1194
dev tun
dev-node Ovpn
proto tcp-client
remote 192.168.168.143 1194
auth-user-pass
auth-nocache
ping 10
persist-tun
persist-key
tls-client
ca ca.crt
cert xxx.crt
key xxx.key
ns-cert-type server
comp-lzo
pull
verb 4

When connect with the client, start with all those lines, and put a username and password, then
continue and get this:

Thu Nov 19 11:05:54 2009 us=218000 Attempting to establish TCP connection with 1
92.168.168.143:1194
Thu Nov 19 11:06:15 2009 us=296000 TCP: connect to 192.168.168.143:1194 failed,
will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

In pfsense log > openvpn > no new row add

Ok, i have a problem, but dont know what problem.

1. use

ldapsearch -h 192.168.0.1 -p 389 -D 'cn=userTest,cn=users,dc=ar,dc=local' -W -x -b 'dc=ar,dc=local'

and get connect succesfull to AD

# numResponses: 444
# numEntries: 440
# numReferences: 3

Some search in google, get something like testplugin in src of the openvpn-auth-ldap, this can use to test the connection to vpn without openvpn.
But, i dont know to much of bsd and get this:

# cd /root/
# cd auth-ldap-2.0.3
# cd /sbin/
# cd /root/auth-ldap-2.0.3/src/
# ./testplugin.c /usr/local/etc/openvpn-auth-ldap.cfg
./testplugin.c: /COPYRIGHT: Permission denied
LFAuthLDAPConfig.h: not found
LFAuthLDAPConfig.h: not found
LFAuthLDAPConfig.h: not found
./testplugin.c: 5: Syntax error: "(" unexpected

Well, is a problem cannot test the connection, and worst if a dont know to much of bsd, so, if you get me some clue or start to investigate, will be appreciate.

Regards.

federicoha

anyone…  :)

If you hive me a hint... i try the rest...

Regards.

GruensFroeschli

What protocol did you specify on the server?
The default is UDP, but i see you have TCP in your client config (which is a bad idea btw).

federicoha

Hi, if i understand you…

What protocol did you specify on the server?

AD: ldap
OpenVPN Server: TCP

The default is UDP, but i see you have TCP in your client config (which is a bad idea btw).

In my fpsense in production, use TCP, the configuration you see is only for test in a virtual machine, but i take your suggestion

Any idea?

Regards