openvpn-auth-ldap icon indicating copy to clipboard operation
openvpn-auth-ldap copied to clipboard

Published 20 hours ago verified publisher icon threerings

ldaps (TLS) with self signed certificate

Open ghost opened this issue 7 years ago • 6 comments

I have an LDAP server (ApacheDS) running:

Open/Clear - ldap://server.example.com:10399 Encrypted - ldaps://server.example.com:10686

I connect to this server through various other systems (our code repo, jenkins, etc all authenticate over Encrypted ldaps protocol to it over port 10686 so I know the server is responding fine over TLS. It uses self-signed certs but that hasn't been an issue so far with other services connecting to it.

My openvpn logs don't give me much other than generic logging:

ovpn-server[2922]: Unable to enable STARTTLS: Can't contact LDAP server ((unknown error code))
ovpn-server[2922]: LDAP connect failed.

Different configs I've tried:

WORKS: (unencrypted)

<LDAP>
        URL             ldap://server.example.com:10399
        Timeout         10
        TLSEnable       no
        FollowReferrals yes
</LDAP>

DOES NOT WORK:

<LDAP>
        URL             ldaps://server.example.com:10686
        Timeout         10
        TLSEnable       yes
        FollowReferrals yes
</LDAP>

ALSO DOES NOT WORK:

<LDAP>
        URL             ldaps://server.example.com:10686
        Timeout         10
        TLSEnable       no
        FollowReferrals yes
</LDAP>

ALSO DOES NOT WORK:

        URL             ldap://server.example.com:10686
        Timeout         10
        TLSEnable       yes
        FollowReferrals yes
</LDAP>

ALSO DOES NOT WORK:

<LDAP>
        URL             ldap://server.example.com:10686
        Timeout         10
        TLSEnable       no
        FollowReferrals yes
</LDAP>

ghost avatar Nov 28 '17 17:11 ghost

I have similar problem, I have just added it to comments of issue 30. https://github.com/threerings/openvpn-auth-ldap/issues/30 It seems that the plugin is unable to verify server's certificate.

michalsladek avatar Aug 16 '18 10:08 michalsladek

I was able to get this plugin working with a self-signed certificate by doing the following:

  1. Git clone this repo into /usr/local/src
  2. Edit the file named 'TRLDAPConnection.m'
  3. Find line #100
  4. Change 'LDAP_OPT_X_TLS_HARD' to 'LDAP_OPT_X_TLS_ALLOW'
  5. If you're running Ubuntu, use the 'ubuntu_16.04_lts_build.sh' script to compile the 'openvpn-auth-ldap.so' shared object
  6. Edit your openvpn configuration to use the new shared object file
  7. Restart openvpn

I noticed with a strace of the openvpn pid that the plugin was reading /etc/ldap/ldap.conf and ldaprc so I initially set 'TLS_REQCERT' to 'allow' within both but the plugin ignored it. Then I found the "Always require a valid certificate" definition within the source files.

avs262 avatar Oct 17 '18 01:10 avs262

I followed the instructions. I made the adjustment in the makefile and recompiled the plugin and restarted the openvpn. Sadly, when I tried again, I got the same error, "LDAP bind failed immediately: Can't contact LDAP Server Unable to bind as [email protected]. I am running plugin version 2.0.4. It works with the same credentials using the unencrypted LDAP.

softwareinfojam avatar Jan 18 '21 19:01 softwareinfojam

I found a simpler workaround that does not require a code change to lower the TLS requirement.

In a nutshell: One needs to add the CA cert to the system's truststore. (In CentOS 8 I did this by copying it in pem format to /etc/pki/ca-trust/source/anchors/, and then ran the "update-ca-trust" command.)

It looks like the plugin ignores the "TLSCACertFile" config setting, but as long as it's in the system's truststore it should work. If this is not sufficient to fix your connection issue, the good news is once this is is out of the way the plugin will be more verbose about the reason (in the openvpn logfile).

Other issues that I needed to also fix were "EE certificate key too weak" (fixed by issuing a new cert for the AD server signed with a 2048-bit key this time*), and "hostname does not match peer certificate" (fixed by entering in the plugin's URL setting the exact same hostname present in the cert).

* The "weak key" issue can also be worked around by lowering the TLS security level, here's a config line that worked for me to connect to an AD server signed with a 1024-bit key, though I wouldn't recommend it if you can user a stronger key instead:

TLSCipherSuite @SECLEVEL=1:ALL:!ADH:@STRENGTH

saulp avatar Apr 29 '21 16:04 saulp

After a entire afternoon search and test, I finally make this #77 work - to apply the patch by @k0ste, thanks and that's now a great plugin with your work!
It does require some effort to build the new .so file on CentOS 7, now this plugin can work very well with self-signed cert in LDAP server side. The updated conf file can be something like this:

<LDAP>
    # LDAP server URL
    URL        ldaps://ldap.example.com

    # Bind DN (If your LDAP server doesn't support anonymous binds)
    BindDN        cn=readonly,ou=system,dc=example,dc=com

    # Bind Password
    Password    xxxxx

    # Network timeout (in seconds)
    Timeout        15

    # Enable Start TLS
    TLSEnable    no
    TLSRequireCert    no

    # Follow LDAP Referrals (anonymously)
    FollowReferrals yes
    
    # DO NOT PUT any more cert file or path here
</LDAP>

<Authorization>
    ... (no change)
</Authorization>

Fisherworks avatar Jan 28 '22 15:01 Fisherworks

I used REDHAT 7 and successfully move compiled lib to RHEL8. On RHEL8 I cannot compile it (issues with objC) And openvpn can authenticate on Windows Server 2019 DC with default settings (LDAP server signing reqs: Require signing)

Steps to recompile lib with patch:

git clone https://github.com/guywyers/openvpn-auth-ldap

#Install packages yum install autoconf libtool make openvpn openldap openvpn-devel openldap-devel openvpn automake openssl-devel libobjc gcc-objc patch yum groupinstall 'Development Tools'

#install re2c package wget https://github.com/skvadrik/re2c/archive/refs/tags/3.0.tar.gz tar xzvf 3.0.tar.gz ./release.sh ./autogen.sh ./configure make install

Apply patch #77

git clone https://github.com/k0ste/openvpn-auth-ldap-rfc2307 patch -ruN -d openvpn-auth-ldap < openvpn-auth-ldap-rfc2307/77.patch

enter names manually to files for patching when asking: i.e src/TRAuthLDAPConfig.h etc

install openvpn-auth-ldap

./regen.sh ./configure --with-openvpn=/usr/include/openvpn CFLAGS="-fPIC" OBJCFLAGS="-std=gnu11"

make

compiled lib in src/

Plugin location /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so

I can succesfully connect with config above ( URL ldaps://ldap.example.com) without specify certs options. OpenVPN will connect with TCP/636 to DC.

DC must have correct cert for FQDN: ldap.example.com (certmgr.msc - computer - personal)

For example it possible to generate cert and import with following commands:

openssl genrsa -out dc1.key 2048

openssl req -new
-key dc1.key -out dc1.csr -subj "/CN=dc1.test.com"
-addext "keyUsage=digitalSignature,keyEncipherment"
-addext "subjectKeyIdentifier=hash"
-addext "extendedKeyUsage=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2"

openssl x509 -req -in dc1.csr -CA /etc/openvpn/keys/easyrsa/pki/ca.crt -CAkey /etc/openvpn/keys/easyrsa/pki/private/ca.key -CAcreateserial -out dc1.crt -days 720 -sha256

openssl verify -CAfile /etc/openvpn/keys/easyrsa/pki/ca.crt /etc/openvpn/auth/12/dc1.crt openssl pkcs12 -export -out dc1.pfx -inkey dc1.key -in dc1.crt

Import dc1.pfs to DC

ice1374 avatar Mar 03 '22 22:03 ice1374