我想使用 openvpn 服务器为客户端提供 sslvpn 服务。我想在客户端中使用 ldap 身份验证进行授权。
我准备了互联网上发布的定义,sslvpn 隧道在没有 ldap 授权的情况下成功安装。
当我打开 ldap 授权时,它会给出以下日志中指定的错误“无效凭据”。
我看到 openvpn 和 active directory 已成功链接到 ldap 搜索。但在密码授权部分,虽然密码正确,但我收到了错误的密码日志。
在我的调查中,我发现遇到类似情况的人使用了一些代码片段进行 ldap 搜索。当我应用类似方法时,我仍然收到相同的错误。
所以我不知道我是否遇到了类似的错误。我在底部分享了服务器、ldap 定义和客户端定义。我试图了解我收到的错误是什么。
我的猜测是密码没有正确传输到 active directory 端,但我找不到如何检测它。
我没有从我在互联网上进行的搜索中得到任何结果,只是说搜索结果。
如果有人能指导如何解决这个问题,我将不胜感激。
服务器版本/操作系统
debian based linux
openvpn --version
OpenVPN 2.4.0 [git:HEAD/d119a5983835297a+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 31 2019
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no
客户端版本/操作系统:
Windows 10
OpenVPN Connect 2.7.1.104
Active Directory 操作系统:
Windows Server 12 r2 (MS server 2016)
OpenVPN日志:
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 TLS: Initial packet from [AF_INET]81.81.10.12:63438, sid=99840e06 2fc28386
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=Fort-Funston_CA/name=EasyRSA/[email protected]
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=MyOrganizationalUnit/CN=ovpnClient/name=EasyRSA/[email protected]
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_GUI_VER=ovpnmi_1.0.0
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_VER=3.2__qa:d87f5bbc04)
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_PLAT=win
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_NCP=2
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_TCPNL=1
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: IV_PROTO=2
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: UV_ASCLI_VER=2.7.1.104
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 peer info: UV_PLAT_REL=Windows_10_Enterprise_6.3.18363
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580)
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: Incorrect password supplied for LDAP DN "CN=user1,CN=Users,DC=izmir,DC=com,DC=tr".
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 TLS Auth Error: Auth Username/Password verification failed for peer
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1557'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 [ovpnClient] Peer Connection Initiated with [AF_INET]81.81.10.12:63438
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 PUSH: Received control message: 'PUSH_REQUEST'
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 Delayed exit in 5 seconds
May 23 14:51:13 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 SENT CONTROL [ovpnClient]: 'AUTH_FAILED' (status=1)
May 23 14:51:19 MSRVR openvpn-vtun0[1766]: 81.81.10.12:63438 SIGTERM[soft,delayed-exit] received, client-instance exiting
服务器配置:
verb 3
status /opt/whynot/etc/openvpn/status/vtun0.status 30
writepid /var/run/openvpn/vtun0.pid
daemon openvpn-vtun0
dev-type tun
dev vtun0
user openvpn
group openvpn
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip
proto udp
persist-tun
mode server
tls-server
keepalive 10 30
management /tmp/openvpn-mgmt-intf unix
push "route 10.100.110.0 255.255.255.0"
server 192.168.168.0 255.255.255.0
ca /config/auth/ovpn/4ldaptest/ca.crt
cert /config/auth/ovpn/4ldaptest/ovpnServer.crt
key /config/auth/ovpn/4ldaptest/ovpnServer.key
dh /config/auth/ovpn/4ldaptest/dh2048.pem
compress lzo
cipher aes-256-cbc
compat-names
--plugin /usr/lib/openvpn/openvpn-auth-ldap.so /config/auth/ovpn/auth-ldap-test.conf
--mssfix
LDAP 插件配置:
<LDAP>
# LDAP server URL
URL ldap://192.168.33.11
# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN CN=user1,CN=users,DC=izmir,DC=com,DC=tr
# Bind Password
Password P1w2DkyW
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "DC=izmir,DC=com,DC=tr"
SearchFilter "sAMAccountName=%u"
RequireGroup false
</Authorization>
客户端配置:
client
proto udp
dev tun
remote 81.99.81.33 1194
auth-user-pass
auth-retry interact
cert ovpnClient.crt
key ovpnClient.key
ca ca.crt
答案1
日志显示 LDAP 绑定失败,因此尚未达到可以评估用户凭证的程度。
BindDN 出现异常:BindDN CN=user1,CN=users,DC=izmir,DC=com,DC=tr
猜测一下,也许应该是:BindDN CN=user1,OU=users,DC=izmir,DC=com,DC=tr
建议验证帐户的 DN。在 BindDN 中将 CN 替换为 OU 将导致观察到的行为。否则,请验证凭据。