OpenVPN 使用 openvpn-auth-ldap 插件
我有一个正在运行的 LDAP 服务器 (ApacheDS):
打开/清除 - ldap://server.example.com:10399
加密 - ldaps://server.example.com:10686
我可以通过明文(未加密)顺利进行连接和身份验证,但似乎无法通过 TLS 与服务器通信。
我通过各种其他系统(我们的代码库、jenkins 等)通过 TLS 连接到该服务器,所有服务器都通过端口 10686 上的加密 ldaps 协议进行身份验证,所以我知道服务器通过 TLS 响应良好。它使用自签名证书,但到目前为止,其他连接到它的服务还不存在这个问题。
根据下面的日志文件,似乎该TLSEnable指令触发了我并不需要的 StartTLS 函数。无论如何,我仍然尝试使用它...
我尝试过的不同配置:
作品:(未加密)
<LDAP>
URL ldap://server.example.com:10399
Timeout 10
TLSEnable no
FollowReferrals yes
</LDAP>
不起作用:
<LDAP>
URL ldaps://server.example.com:10686
Timeout 10
TLSEnable yes
FollowReferrals yes
</LDAP>
日志:
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: Unable to enable STARTTLS: Can't contact LDAP server
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: LDAP connect failed.
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 TLS Auth Error: Auth Username/Password verification failed for peer
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 SIGTERM[soft,auth-control-exit] received, client-instance exiting
也不起作用:
<LDAP>
URL ldaps://server.example.com:10686
Timeout 10
TLSEnable no
FollowReferrals yes
</LDAP>
日志:
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: LDAP search failed: Can't contact LDAP server ((unknown error code))
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: LDAP user "myuser" was not found.
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: x.x.x.x:20248 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: x.x.x.x:20248 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: x.x.x.x:20248 TLS Auth Error: Auth Username/Password verification failed for peer
也不起作用:
<LDAP>
URL ldap://server.example.com:10686
Timeout 10
TLSEnable yes
FollowReferrals yes
</LDAP>
日志:
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: Unable to enable STARTTLS: Can't contact LDAP server
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: LDAP connect failed.
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: x.x.x.x:22910 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: x.x.x.x:22910 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: x.x.x.x:22910 TLS Auth Error: Auth Username/Password verification failed for peer
Nov 28 18:02:48 openvpn1 ovpn-server[3232]: x.x.x.x:22910 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Nov 28 18:02:48 openvpn1 ovpn-server[3232]: x.x.x.x:22910 Peer Connection Initiated with [AF_INET]108.47.9.178:22910
Nov 28 18:02:48 openvpn1 ovpn-server[3232]: x.x.x.x:22910 SIGTERM[soft,auth-control-exit] received, client-instance exiting
也不起作用:
<LDAP>
URL ldap://server.example.com:10686
Timeout 10
TLSEnable no
FollowReferrals yes
</LDAP>
日志:
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: LDAP search failed: Can't contact LDAP server
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: LDAP user "myuser" was not found.
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: x.x.x.x:2946 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: x.x.x.x:2946 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: x.x.x.x:2946 TLS Auth Error: Auth Username/Password verification failed for peer