Author Topic: [RESUELTO]autenticación openvpn contra active directory (wind serv 2008)  (Read 4888 times)

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #15 on: August 25, 2014, 11:21:29 am »
Hola :

Parece que este tirando de pam, más que de LDAP, como dices solo se me ocurre revisar los logs de openvpn a ver si encuentras algun mensaje que te de la pista de por que pase eso....

Otra opcion sería habilitar PAM para los usuarios del LDAP pero es posible que no desees hacer tal cosa

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #16 on: August 26, 2014, 01:27:39 pm »
eso está haciendo

he buscado el fichero openvpn-auth-ldap.so  pero no se encuentra en el servidor??

¿dónde está realmente?

eso se puede descargar?

gracias de antemano


jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #17 on: August 26, 2014, 01:29:44 pm »
Hola:

Creo que el paquete que necesitas es openvpn-auth-ldap:

Code: [Select]
Package: openvpn-auth-ldap
Priority: extra
Section: universe/net
Installed-Size: 171
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Architecture: amd64
Version: 2.0.3-5.1
Depends: libc6 (>= 2.4), libldap-2.4-2 (>= 2.4.7), libobjc3 (>= 4.2.1), openvpn (>= 2)
Filename: pool/universe/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-5.1_amd64.deb
Size: 46784
MD5sum: a045776f9e4e98f6c380a7fccce98e4c
SHA1: 3f8826fdd2ecd8e01588b5f38d56d8de4124cbc1
SHA256: 34bd8a7b4f5b1c8094d70a2d40eb498ec12b07fc975b044568d7185e5a8b9aed
Description-en: OpenVPN LDAP authentication module
 A plugin that implements username/password authentication via
 LDAP for OpenVPN 2.x. It features:
 .
  * Simple Apache-style configuration file.
  * LDAP group-based access restrictions.
  * Will authenticate against any LDAP server that supports LDAP
    simple binds -- including Active Directory.
Description-md5: e1e09ddd84686d578add3979f29be545
Homepage: http://code.google.com/p/openvpn-auth-ldap/
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #18 on: August 26, 2014, 02:02:26 pm »
gracias por tu pronta contestación
me da error de autenticacion....



este es el log


Fri Aug 22 13:34:26 2014 WARNING: file '/var/lib/zentyal/CA/private/vpn-GSTOpenVpn.pem' is group or others accessible
Fri Aug 22 13:34:26 2014 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Aug 22 13:34:26 2014 TUN/TAP device tap0 opened
Fri Aug 22 13:34:26 2014 TUN/TAP TX queue length set to 100
Fri Aug 22 13:34:26 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Aug 22 13:34:26 2014 /sbin/ip link set dev tap0 up mtu 1500
Fri Aug 22 13:34:26 2014 /sbin/ip addr add dev tap0 10.99.1.1/24 broadcast 10.99.1.255
Fri Aug 22 13:34:26 2014 GID set to nogroup
Fri Aug 22 13:34:26 2014 UID set to nobody
Fri Aug 22 13:34:26 2014 UDPv4 link local (bound): [AF_INET]10.30.113.64:1194
Fri Aug 22 13:34:26 2014 UDPv4 link remote: [undef]
Fri Aug 22 13:34:26 2014 MULTI: multi_init called, r=256 v=256
Fri Aug 22 13:34:26 2014 IFCONFIG POOL: base=10.99.1.2 size=253, ipv6=0
Fri Aug 22 13:34:26 2014 ifconfig_pool_read(), in='JuanAntonioRodriguezGST,10.99.1.2', TODO: IPv6
Fri Aug 22 13:34:26 2014 succeeded -> ifconfig_pool_set()
Fri Aug 22 13:34:26 2014 IFCONFIG POOL LIST
Fri Aug 22 13:34:26 2014 JuanAntonioRodriguezGST,10.99.1.2
Fri Aug 22 13:34:26 2014 Initialization Sequence Completed
Fri Aug 22 13:34:50 2014 10.30.113.2:18397 TLS: Initial packet from [AF_INET]10.30.113.2:18397, sid=de1444a3 5dff6686

AUTH-PAM: BACKGROUND: user 'rodrigj' failed to authenticate: Authentication failure
Fri Aug 22 13:34:51 2014 10.30.113.2:18397 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Aug 22 13:34:51 2014 10.30.113.2:18397 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Fri Aug 22 13:34:51 2014 10.30.113.2:18397 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Aug 22 13:34:51 2014 10.30.113.2:18397 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Aug 22 13:34:51 2014 10.30.113.2:18397 [JuanAntonioRodriguezGST] Peer Connection Initiated with [AF_INET]10.30.113.2:18397
Fri Aug 22 13:34:54 2014 10.30.113.2:18397 PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug 22 13:34:54 2014 10.30.113.2:18397 Delayed exit in 5 seconds
Fri Aug 22 13:34:54 2014 10.30.113.2:18397 SENT CONTROL [JuanAntonioRodriguezGST]: 'AUTH_FAILED' (status=1)
Fri Aug 22 13:35:00 2014 10.30.113.2:18397 SIGTERM[soft,delayed-exit] received, client-instance exiting
Fri Aug 22 13:49:27 2014 event_wait : Interrupted system call (code=4)
Fri Aug 22 13:49:27 2014 Closing TUN/TAP interface
Fri Aug 22 13:49:27 2014 /sbin/ip addr del dev tap0 10.99.1.1/24
RTNETLINK answers: Operation not permitted
Fri Aug 22 13:49:27 2014 Linux ip addr del failed: external program exited with error status: 2
Fri Aug 22 13:49:27 2014 PLUGIN_CLOSE: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
AUTH-PAM: Error signaling background process to exit
Fri Aug 22 13:49:27 2014 SIGTERM[hard,] received, process exiting
Fri Aug 22 13:50:54 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Fri Aug 22 13:50:54 2014 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [/etc/openvpn/auth/ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY


me sigues echando una mano por favor'? gracias

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #19 on: August 26, 2014, 02:25:00 pm »
Hola :

No veo rastros de openvpn-auth-ldap

Revisa que este incluido en la config y elimina cualquier llamada al fichero de pam

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #20 on: August 26, 2014, 02:57:11 pm »
esa es mi configuración que tengo....

#plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"


#plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "/etc/openvpn/auth/ldap.conf"
#plugin auth-user-pass-verify /etc/openvpn/auth/autorizacion.py via-file
#script-security 3 execve

#auth-user-pass-verify /etc/openvpn/auth/ldap_perl.pl via-env

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #21 on: August 26, 2014, 03:04:01 pm »
Y cual es la salida de dpkg -L  openvpn-auth-ldap

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #22 on: August 26, 2014, 04:03:46 pm »
/.
/usr
/usr/share
/usr/share/doc
/usr/share/doc/openvpn-auth-ldap
/usr/share/doc/openvpn-auth-ldap/examples
/usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf
/usr/share/doc/openvpn-auth-ldap/README
/usr/share/doc/openvpn-auth-ldap/copyright
/usr/share/doc/openvpn-auth-ldap/changelog.Debian.gz
/usr/lib
/usr/lib/openvpn
/usr/lib/openvpn/openvpn-auth-ldap.so

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #23 on: August 26, 2014, 04:49:12 pm »
Perfecto, entiendo que las modificaciones en la config de OpenVPN las has realizado a través de un stub, cierto?

Si ejecutas sudo service zentyal openvpn cual es la salida que te da?

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #24 on: August 26, 2014, 04:51:34 pm »
Tue Aug 26 16:43:39 2014 10.30.113.2:20873 PUSH: Received control message: 'PUSH_REQUEST'
Tue Aug 26 16:43:39 2014 10.30.113.2:20873 Delayed exit in 5 seconds
Tue Aug 26 16:43:39 2014 10.30.113.2:20873 SENT CONTROL [JuanAntonioRodriguezGST]: 'AUTH_FAILED' (status=1)
Tue Aug 26 16:43:39 2014 10.30.113.2:20873 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.30.113.2:20873

Tue Aug 26 16:43:40 2014 10.30.113.2:20873 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.30.113.2:20873

Tue Aug 26 16:43:41 2014 10.30.113.2:20873 TLS Error: local/remote TLS keys are out of sync: [AF_INET]10.30.113.2:20873

Tue Aug 26 16:43:44 2014 10.30.113.2:20873 SIGTERM[soft,delayed-exit] received, client-instance exiting
^C
...........log..hay un error tls......



root@gstzentyal:/usr/share/zentyal/stubs/openvpn# sudo service zentyal openvpn
Usage: /etc/init.d/zentyal start|stop|restart
       /etc/init.d/zentyal <module> start|stop|status|enabled|restart
root@gstzentyal:/usr/share/zentyal/stubs/openvpn# sudo service zentyal openvpn status
Zentyal: status module openvpn:                 [ RUNNING ]

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #25 on: August 26, 2014, 04:52:47 pm »
Y en el log si intentas conectar ahora un usuario?

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #26 on: August 26, 2014, 04:56:45 pm »

root@gstzentyal:/usr/share/zentyal/stubs/openvpn# tail -0f /var/log/openvpn/GSTOpenVpn.log
0Tue Aug 26 16:56:08 2014 10.30.113.2:2638 TLS: Initial packet from [AF_INET]10.30.113.2:2638, sid=901565eb b7805597
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 CRL CHECK OK: C=34, ST=Sevilla, L=sevilla, O=AutoridadCertificadoraGST, CN=Certificado de Autoridad AutoridadCertificadoraGST
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 VERIFY OK: depth=1, C=34, ST=Sevilla, L=sevilla, O=AutoridadCertificadoraGST, CN=Certificado de Autoridad AutoridadCertificadoraGST
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 CRL CHECK OK: C=34, ST=Sevilla, L=sevilla, O=AutoridadCertificadoraGST, CN=JuanAntonioRodriguezGST
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 VERIFY OK: depth=0, C=34, ST=Sevilla, L=sevilla, O=AutoridadCertificadoraGST, CN=JuanAntonioRodriguezGST
Unable to enable STARTTLS: Connect error
LDAP connect failed.
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Aug 26 16:56:08 2014 10.30.113.2:2638 [JuanAntonioRodriguezGST] Peer Connection Initiated with [AF_INET]10.30.113.2:2638
Tue Aug 26 16:56:10 2014 10.30.113.2:2638 PUSH: Received control message: 'PUSH_REQUEST'
Tue Aug 26 16:56:10 2014 10.30.113.2:2638 Delayed exit in 5 seconds
Tue Aug 26 16:56:10 2014 10.30.113.2:2638 SENT CONTROL [JuanAntonioRodriguezGST]: 'AUTH_FAILED' (status=1)
Tue Aug 26 16:56:12 2014 10.30.113.2:47896 TLS: Initial packet from [AF_INET]10.30.113.2:47896, sid=44263da9 3b9518f1
Tue Aug 26 16:56:15 2014 10.30.113.2:2638 SIGTERM[soft,delayed-exit] received, client-instance exiting

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #27 on: August 26, 2014, 05:02:55 pm »
I your user called "JuanAntonioRodriguezGST" ? Perhaps you could try with a shorter username?

juaniki

  • Zen Apprentice
  • *
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #28 on: August 26, 2014, 05:29:22 pm »
ese es el nombre del certificado JuanAntonioRodriguezGST

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: autenticación openvpn contra active directory (wind serv 2008)
« Reply #29 on: August 26, 2014, 05:33:08 pm »
Entonces lo unico que se me ocurre es un error con la DN. Te sugiero comprobarlo a través de ldapsearch o similar