Author Topic: [SOLVED] OpenVPN w/OpenLDAP auth from Zentyal AD slave  (Read 5093 times)

browley

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
[SOLVED] OpenVPN w/OpenLDAP auth from Zentyal AD slave
« on: July 31, 2012, 12:08:02 am »
I'm having a bit of trouble getting OpenVPN up and working smoothly with the LDAP auth module.  The good news is that it DOES work (albeit a little hacky to get working). I have one minor issue: whenever I make changes to /etc/default/openvpn and change AUTOSTART="none" to AUTOSTART="server" (since my OpenVPN server conf file is named "server.conf" in /etc/openvpn) so that the server will autostart on boot, the file keeps getting smashed back to AUTOSTART="none" after at least 1 reboot.  Is there a Zentyal process that re-writes the file?  Other than that everything works fine.  I can post more details if anyone is curious.
« Last Edit: August 10, 2012, 11:00:14 pm by browley »

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #1 on: August 01, 2012, 08:35:41 am »
Yes, this file is overwritten. Use a custom stub to override default-openvpn.mas.

browley

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #2 on: August 01, 2012, 10:00:01 pm »
Thanks!  I edited the /usr/share/zentyal/stubs/openvpn/default-openvpn.mas to use my "server.conf" file but I still cannot get OpenVPN to go on start up.  Looking through the Zentyal logs, /var/log/messages, and openvpn.log I can find nothing that relates to the startup.  I rebooted and saw the OpenVPN startup process went through OK (hitting esc on the Zentyal Splash).  However, after boot, OpenVPN reports that it is not running.  I can then launch it no problem by starting the init script.  I used sysv-rc-config to make sure OpenVPN was on runlevel 3, 4, and 5 but then I had a thought: does Zentyal use some sort of built-in start-up mechanism for OpenVPN?  If so, what's the best practice for starting it?   
« Last Edit: August 02, 2012, 12:43:33 am by browley »

browley

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #3 on: August 02, 2012, 03:42:18 pm »
I ended up writing another little init script that sleeps 2 minutes and calls the initial openvpn init scrip.  It looks like this:

Code: [Select]
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Delayed OpenVPN startup
# Description:       Enable service provided by daemon.
### END INIT INFO
sleep 2m
/etc/init.d/openvpn start

Which works just fine.  Also I'd thought I'd post my openvpn config for anyone interested in getting OpenVPN working with the internal Zentyal LDAP.  Here is my server.conf
Code: [Select]
port 1194
ca ca.crt
cert server.crt
key server.key
proto udp
dev tap0
up "/etc/init.d/bridge-up br1 tap0 1500"
down "/etc/init.d/bridge-down br1 tap0"
mode server
tls-server
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.63 255.255.255.0 192.168.1.223 192.168.1.248
push "dhcp-option DNS 192.168.1.17"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log         /var/log/openvpn.log
verb 6
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required

Here's the ldap.conf in "/etc/openvpn/auth/ldap.conf":
Code: [Select]
<LDAP>
        URL             ldap://127.0.0.1:389
        BindDN          cn=ebox,dc=<fill in your base here from the ldap Zentyal settings>
        Password        <fill in your password from ldap Zentyal settings>
        Timeout         15
        TLSEnable       no
        FollowReferrals yes
        TLSCACertFile   /usr/local/etc/ssl/ca.pem
        TLSCACertFile   /usr/local/etc/ssl/ca.pem
        TLSCACertDir    /etc/ssl/certs
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem
</LDAP>

<Authorization>
        BaseDN          "ou=Users,dc=<Zentyal base again here>"
        #IMPORTANT, I added a "initials" attribute to determine whether a user has access or not
        #I set this via adding an attribute to the ldap user via phpLdapAdmin.  Users must have this attribute to connect
        #This is hacky but it works!
        SearchFilter    "(&(uid=%u)(initials=vpn))"
        RequireGroup    false
        <Group>
                BaseDN          "ou=Groups,dc=<Zentyal base...>"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Here's the bridge startup script:
Code: [Select]
#!/bin/sh
BR=$1
DEV=$2
MTU=1500
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV

Here's the bridge down script:
Code: [Select]
#!/bin/sh
BR=$1
DEV=$2
/sbin/ip link set "$DEV" down
/usr/sbin/brctl delif $BR $DEV

Some notes from above: I made a user, OpenVPN that has no home dir or login to run.  I chown'ed the /etc/openvpn dir as this user.  Make sure to edit the Zentyal stub from the above post so that /etc/default/openvpn doesn't keep getting destroyed.  In order to run the start_openvpn delay script above, I called
Code: [Select]
sudo update-rc.d start_openvpn defaults after making the script executable.

While I was having issues on startup, this was working well overall from a connectivity standpoint.  The real issue here is that I know Zentyal incorporates OpenVPN in a way and I feel like I'm stepping on its toes.  That said, @Zentyal devs, would it be possible to build this functionality directly into the Zentyal server?  All the pieces are there they just need to be connected.  Really the only thing that would need to be flushed out is my hack that uses the initials to determine if someone has access or not.  I actually look at it and there is a way to build a .schema file and include it in OpenLDAP so that you could have a VPN boolean, but after fighting to get OpenVPN for the first time I was out of steam at that point.  Finally, if anyone has any suggestions in helping me cleaning anything up please let me know.  Thanks in advance.

browley

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #4 on: August 10, 2012, 11:00:00 pm »
Well, I was coming in to mark this solved but I decided to try and get Dynamic DNS working with the a Zentyal cloud account earlier this week.  WHAM, my OpenVPN setup was not having that.  I then went back, reset the custom stub to "all", edited my server.conf to use a tap1 interface, and changed to port to 1195 in my server.conf file from above.  In other words, instead of just using the OpenVPN server I hacked in there, I decided to use two instances as suggested by http://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html

But I couldn't get both the Zentyal client connection to the cloud to work on boot!  It was driving me nuts.  I tried modifying my startup script in all sorts of ways.  Changing things around, adding custom init scripts, etc.  Then, and I don't know what tipped me off to this, I realized I was turning my scripts on levels 3 4 5... and Zentyal was running at runlevel 2.  The hours wasted for that... grrrr.  Anywho, I got rid of my custom startup script and turned OpenVPN on for 2 3 4 and 5.  Guess what?  Unicorns and rainbows.  So now my Zentyal box starts up with both the cloud connection and as an OpenVPN server that ties into my LDAP which was yanked from AD and I can confirm Windows passwords work.  This is solved, thanks everyone.

robb

  • Guest
Re: [SOLVED] OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #5 on: August 12, 2012, 10:40:42 pm »
Hi Browley,

Kudos for the effort getting this problem to work.
I want to ask you, can you write a small howto in TRAC with the problem situation and how you solved this? This would addup to the Community Documentation and give a boost to the Zentyal project.

thanx in advance
« Last Edit: August 12, 2012, 10:46:32 pm by robb »

icsy7867

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #6 on: August 17, 2017, 08:37:01 pm »
I know this post is old, but this is the first thing that popped up on google for me, and a quick search did not reveal anything too pertinent. I apologize if this has already been covered, but thought I would share my experience.  I used bits and pieces from all over.  I found that by using hooks, it was easier to setup LDAP support for openvpn than I thought.


Here are the steps that I performed to get it working

Code: [Select]
sudo apt-get install openvpn-auth-ldap
mkdir /etc/openvpn/auth
cd /etc/openvpn/auth
sudo nano ldap.conf

Now you need to setup your ldap conf so that your openvpn auth uses the right settings.  You need to change the BindDN, passwords and settings to allow access.  You can also use groups to allow VPN access, but I do not do that on mind so I left that section out.  I can provide a working example if necessary.  I also use "sAMAccountName" instead of UID like the op.

Code: [Select]
<LDAP>
        # LDAP server URL
        URL             ldap://localhost:389

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        BindDN          "Insert Bind_DN"

        # Bind Password
        Password        "Password"

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        #TLSEnable       yes

        # Follow LDAP Referrals (anonymously)
        FollowReferrals no
</LDAP>
<Authorization>
        # Base DN
        #BaseDN         "CN=Users,DC=test,DC=com"
        BaseDN          "Base_User_DN"

        # User Search Filter
        #SearchFilter   "(&(uid=%u)(accountStatus=active))"
        SearchFilter   "(sAMAccountName=%u)"

        # Require Group Membership
        RequireGroup    false

</Authorization>

You then need to create your hooks:
Code: [Select]
cd /etc/zentyal/hooks/
sudo cp template.postsetconf openvpn.postsetconf
sudo nano openvpn.postsetconf

Here you need to add your LDAP auth to your openvpnhook add these lines (Editing for your correct names) above the "Exit 0"
Code: [Select]
echo 'plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"' >> /etc/openvpn/VPNNameHere.d/VPNNameHere.conf
echo "client-cert-not-required" >> /etc/openvpn/VPNNameHere.d/VPNNameHere.conf

Lastly, you need to tell your openvpn client to ask for a username/password combo.
Simply add:
Code: [Select]
auth-user-pass
to your .ovpn file.


vipul.sharma1

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: [Pending] OpenVPN w/OpenLDAP auth from Zentyal AD slave
« Reply #7 on: May 08, 2019, 02:43:12 pm »
Hi Team,

We are using zentyal from last one month and want to integrate openvpn with  zentyal.
We have created almost 4000 users into zentyal in different OU ( organizational unit )  now want to authenticate users from openvpn through zentyal.

Below are the openvpn  ldap.conf  config

<LDAP>
   # LDAP server URL
   URL      ldap://10.11.17.90
   BindDN      "CN=authuser,CN=Users,DC=rivigogur,DC=com"
   Password           "passwd"
   Timeout      15
   TLSEnable   no
   FollowReferrals no

</LDAP>

<Authorization>
   BaseDN       "CN=Users,DC=rivigogur,DC=com"
        SearchFilter        "(&(sAMAccountName=%u)"
   RequireGroup   false
     
      #  <Group>
      #         BaseDN   "CN=Users,DC=rivigo,DC=com"
      #         SearchFilter   "cn=vpn"
      #         MemberAttribute Member
       # </Group>
 

Main Problem is here only that users those persist into Users OU are authenticating with openvpn not the other OU users.


Openvpn Logs.


Mon May  6 18:00:52 2019 us=160072 10.11.1.1:14741 peer info: IV_TCPNL=1
Mon May  6 18:00:52 2019 us=160080 10.11.1.1:14741 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5180_3.7.8__build_5180)"
LDAP user "vipul.sharma1" was not found.


Actually vipul.sharma1 user exist into  IT OU and as per ldap.conf users are searching into Users OU only.


So,Please required urgent help here how we can authenticate users those are exist into multiple OU instead on single OU.

Quick help will be really appreciated.

Thanks