Unable to use LDAP authentication
ramondeklein opened this issue · 3 comments
I ran this OpenVPN docker image successfully, but I needed to reinstall docker and probably fetched a newer image. I kept the certificates, but during registration I see the following error:
openvpn_1 | AUTH-PAM: BACKGROUND: user 'r.deklein' failed to authenticate: Authentication service cannot retrieve authentication info
openvpn_1 | Mon Nov 18 22:11:32 2019 82.197.209.84:50663 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
openvpn_1 | Mon Nov 18 22:11:32 2019 82.197.209.84:50663 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
openvpn_1 | Mon Nov 18 22:11:32 2019 82.197.209.84:50663 TLS Auth Error: Auth Username/Password verification failed for peer
I try to log on with 'r.deklein' which worked fine in the past, but with the latest version it doesn't seem to work anymore. Nothing has changed on the AD part. I am not sure it it cannot log on with the BIND user or that it cannot verify the actual user...
These are my environment variables:
- OVPN_SERVER_CN=openvpn.crosspoint.nl
- OVPN_PROTOCOL=tcp
- OVPN_DNS_SERVERS=192.168.80.10
- OVPN_DNS_SEARCH_DOMAIN=crosspoint.local
- LDAP_URI=ldap://192.168.80.10:389
- LDAP_BASE_DN=DC=crosspoint,DC=local
- LDAP_BIND_USER_DN=CN=TeamCity | Cross Point,OU=Crosspoint Service Accounts,DC=crosspoint,DC=local
- LDAP_BIND_USER_PASS=removed-for-security
- LDAP_LOGIN_ATTRIBUTE=sAMAccountName
- LDAP_FILTER=memberOf=CN=Crosspoint OpenVpn Users,OU=Crosspoint Security Groups,DC=crosspoint,DC=local
I have tried to get this to work again for the past 5 hours, but haven't got any step further.
PS: Why can we only use the latest version? I would rather fix it to a certain version. Maybe something changed in the docker image (the previous was configured around August 2019). I needed to pull the latest image because of a Docker re-install.
It seemed that the filter was wrong. It used to work in previous versions, but now I needed to change the LDAP_FILTER to (&(|(objectclass=person))(|(|(memberof=CN=Crosspoint OpenVpn Users,OU=Crosspoint Security Groups,DC=crosspoint,DC=local)(primaryGroupID=1396))))
Hi. Sorry to hear you had so much trouble with the newer version. I moved from pam_ldap to nss-pam-ldapd because it's better documented, has more features and is under active development.
The filter option was tested before pushing the new version (using a memberof filter too), though the filter I tested was in brackets - LDAP_FILTER=(memberOf=cn=vpnusers,ou=groups,dc=example,dc=org). I've just been testing the filter function and I've found that without brackets nslcd complains that the filter is invalid.
Could you try again with LDAP_FILTER=(memberOf=CN=Crosspoint OpenVpn Users,OU=Crosspoint Security Groups,DC=crosspoint,DC=local)?
I'll update the README to reference the nss-pam-ldapd filter docs.
With regards to fixed versions, you're quite right. I'll look into doing that.
It seems to work fine. I do have a suggestion to make debugging a bit easier. In the entrypoint script, it is also possible to replace nslcd with nslcd -d & or nslcd -dd &. This enables debug output from the nslcd to be written to the docker logs.
You may consider to add an LDAP_LOGLEVEL environment variable and based on this variable emit one of the debug lines instead. I needed this log-level to find out what is wrong. Just a suggestion and thanks for the great work with this docker image.