Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP authentication has always failed #71

Open
ysuking1987 opened this issue Jun 30, 2023 · 8 comments
Open

LDAP authentication has always failed #71

ysuking1987 opened this issue Jun 30, 2023 · 8 comments

Comments

@ysuking1987
Copy link

Container startup command:

docker run
--name openvpn
--volume /etc/openvpn:/etc/openvpn
-v /etc/localtime:/etc/localtime:ro
--detach=true
--restart=always
-p 1194:1194/udp
-e "OVPN_ENABLE_COMPRESSION=false"
-e "OVPN_SERVER_CN=xx.214.xx.147"
-e "LDAP_URI=ldap://10.0.xx.xx:389"
-e "LDAP_BASE_DN=cn=test,ou=test,dc=help,dc=com"
-e "LDAP_BIND_USER_DN=cn=test,dc=help,dc=com"
-e "LDAP_BIND_USER_PASS=xxxxx!"
-e "LDAP_ENCRYPT_CONNECTION=off"
-e "LDAP_LOGIN_ATTRIBUTE=givenName"
-e "OVPN_NETWORK=192.168.100.0 255.255.255.0"
-e "OVPN_ROUTES=10.0.0.0 255.255.0.0"
-e "OVPN_DNS_SERVERS=10.0.0.2"
-e "OVPN_IDLE_TIMEOUT=36000"
-e "ENABLE_OTP=true"
-e "FAIL2BAN_ENABLED=true"
-e "FAIL2BAN_MAXRETRIES=20"
-e "REGENERATE_CERTS=false"
--cap-add=NET_ADMIN
wheelybird/openvpn-ldap-otp:latest

I logged in using the givenName attribute of an LDAP user, but kept reporting an error message as follows:
2023-06-30 06:13:23 PLUGIN AUTH-PAM: BACKGROUND: user 'larry' failed to authenticate: Authentication failure
2023-06-30 06:13:23 203.12.203.3:52774 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2023-06-30 06:13:23 203.12.203.3:52774 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
2023-06-30 06:13:23 203.12.203.3:52774 TLS Auth Error: Auth Username/Password verification failed for peer
2023-06-30 06:13:23 203.12.203.3:52774 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-06-30 06:13:23 203.12.203.3:52774 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2023-06-30 06:13:23 203.12.203.3:52774 Delayed exit in 5 seconds
2023-06-30 06:13:23 203.12.203.3:52774 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-06-30 06:13:24 203.12.203.3:52774 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2023-06-30 06:13:24 203.12.203.3:52774 Peer Connection Initiated with [AF_INET]203.12.203.3:52774
2023-06-30 06:13:26 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2023-06-30 06:13:28 203.12.203.3:52774 SIGTERM[soft,delayed-exit] received, client-instance exiting
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_VER=2.5.9
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_PLAT=mac
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_PROTO=6
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_NCP=2
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZ4=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZ4v2=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZO=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_COMP_STUB=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_COMP_STUBv2=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_TCPNL=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5777_3.8.8b__build_5777)"

But I have configured the login user as givenName on the Grafana, Jumpserver, and Self Service Password systems. With the same username and password, I can successfully log in. Prove that the username and password for LDAP are correct. May I ask where the problem is with this?

@wheelybird
Copy link
Owner

Can I assume you're appending your MFA code to the end of the password?
You can get more insight into authentication issues with pamtester:

You'll need to get a shell in the existing container: docker exec -ti {container name} bash
Now install some packages: apt-get install -y pamtester psmisc
Kill the existing nslcd process: killall nslcd
Start a new background process with debugging enabled: nslcd -d &
Now you can run pamtester: pamtester openvpn {your username} authenticate

@ysuking1987
Copy link
Author

ENABLE_OTP=false
That's not good either

Okay, I'll give it a try

@ysuking1987
Copy link
Author

ysuking1987 commented Jun 30, 2023

@wheelybird the log as follows:

root@08f8c0a8fa1f:/# pamtester openvpn larry authenticate
Password:
nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
nslcd: [8b4567] DEBUG: connection from pid=493 uid=0 gid=0
nslcd: [8b4567] <authc="larry"> DEBUG: nslcd_pam_authc("larry","openvpn","")
nslcd: [8b4567] <authc="larry"> DEBUG: myldap_search(base="cn=aaa,ou=nnn,dc=bbb,dc=ccc", filter="(&(objectClass=posixAccount)(givenName=larry))")
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_initialize(ldap://10.xx.170.xx:389)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_simple_bind_s("cn=admin,dc=aaa,dc=xxx","
") (uri="ldap://10.xx.170.xx:389")
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_result(): cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd
nslcd: [8b4567] <authc="larry"> DEBUG: myldap_search(base="cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(objectClass=)")
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_initialize(ldap://10.xx.170.xx:389)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_sasl_bind("cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd","
*") (uri="ldap://10.xx.170.xx:389") (ppolicy=yes)
nslcd: [8b4567] <authc="larry"> DEBUG: myldap_search(base="cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(objectClass=
)")
nslcd: [8b4567] <authc="larry"> ldap_result() failed: No such object
nslcd: [8b4567] <authc="larry"> cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd: No such object
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_unbind()
nslcd: [8b4567] <authc="larry"> DEBUG: myldap_search(base="cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(&(objectClass=shadowAccount)(uid=larry))")
nslcd: [8b4567] <authc="larry"> DEBUG: ldap_result(): end of results (0 total)
pamtester: Authentication failure

Can you tell that it's the problem there? Thank you so much ~

@ysuking1987
Copy link
Author

image

@wheelybird
Copy link
Owner

Hmm. The initial lookup finds your account. However the attempt to bind with your account/password fails. Strangely the search has an empty value for the objectClass filter (myldap_search(base="cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(objectClass=)")). Perhaps that's the issue, though I don't know why that's the case.
Does authentication work if you use LDAP_LOGIN_ATTRIBUTE=uid?

@ysuking1987
Copy link
Author

ysuking1987 commented Jun 30, 2023

@wheelybird The complete log is:
nslcd: [8b4567] <authc="larry"> DEBUG: myldap_search(base="cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(objectClass= * )")

I tried adding a filtering parameter<-e "LDAP_FILTER=(objectClass=posixAccount)" >, but the same error message was reported.
Let me try this parameter.

@ysuking1987
Copy link
Author

@wheelybird
The error message is the same, as shown below:
nslcd: [495cff] <authc="lchen"> DEBUG: myldap_search(base="cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(objectClass= * )")
nslcd: [495cff] <authc="lchen"> ldap_result() failed: No such object
nslcd: [495cff] <authc="lchen"> cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd: No such object
nslcd: [495cff] <authc="lchen"> DEBUG: ldap_unbind()
nslcd: [495cff] <authc="lchen"> DEBUG: myldap_search(base="cn=larry.xxx,cn=aaa,ou=bbb,dc=ccc,dc=ddd", filter="(&(objectClass=shadowAccount)(uid=lchen))")
nslcd: [495cff] <authc="lchen"> DEBUG: ldap_result(): end of results (0 total)
pamtester: Authentication failure

My parameters are: -e "LDAP_FILTER=(objectClass=posixAccount)"

Why did he change it to objectClass=shadowAccount for me

@ysuking1987
Copy link
Author

I added this attribute, objectClass=shadowAccount, but the result is still the same.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants