-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP authentication has always failed #71
Comments
Can I assume you're appending your MFA code to the end of the password? You'll need to get a shell in the existing container: |
ENABLE_OTP=false Okay, I'll give it a try |
@wheelybird the log as follows: root@08f8c0a8fa1f:/# pamtester openvpn larry authenticate Can you tell that it's the problem there? Thank you so much ~ |
Hmm. The initial lookup finds your account. However the attempt to bind with your account/password fails. Strangely the search has an empty value for the objectClass filter ( |
@wheelybird The complete log is: I tried adding a filtering parameter<-e "LDAP_FILTER=(objectClass=posixAccount)" >, but the same error message was reported. |
@wheelybird My parameters are: -e "LDAP_FILTER=(objectClass=posixAccount)" Why did he change it to objectClass=shadowAccount for me |
Container startup command:
docker run
--name openvpn
--volume /etc/openvpn:/etc/openvpn
-v /etc/localtime:/etc/localtime:ro
--detach=true
--restart=always
-p 1194:1194/udp
-e "OVPN_ENABLE_COMPRESSION=false"
-e "OVPN_SERVER_CN=xx.214.xx.147"
-e "LDAP_URI=ldap://10.0.xx.xx:389"
-e "LDAP_BASE_DN=cn=test,ou=test,dc=help,dc=com"
-e "LDAP_BIND_USER_DN=cn=test,dc=help,dc=com"
-e "LDAP_BIND_USER_PASS=xxxxx!"
-e "LDAP_ENCRYPT_CONNECTION=off"
-e "LDAP_LOGIN_ATTRIBUTE=givenName"
-e "OVPN_NETWORK=192.168.100.0 255.255.255.0"
-e "OVPN_ROUTES=10.0.0.0 255.255.0.0"
-e "OVPN_DNS_SERVERS=10.0.0.2"
-e "OVPN_IDLE_TIMEOUT=36000"
-e "ENABLE_OTP=true"
-e "FAIL2BAN_ENABLED=true"
-e "FAIL2BAN_MAXRETRIES=20"
-e "REGENERATE_CERTS=false"
--cap-add=NET_ADMIN
wheelybird/openvpn-ldap-otp:latest
I logged in using the givenName attribute of an LDAP user, but kept reporting an error message as follows:
2023-06-30 06:13:23 PLUGIN AUTH-PAM: BACKGROUND: user 'larry' failed to authenticate: Authentication failure
2023-06-30 06:13:23 203.12.203.3:52774 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2023-06-30 06:13:23 203.12.203.3:52774 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
2023-06-30 06:13:23 203.12.203.3:52774 TLS Auth Error: Auth Username/Password verification failed for peer
2023-06-30 06:13:23 203.12.203.3:52774 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-06-30 06:13:23 203.12.203.3:52774 TLS: tls_multi_process: initial untrusted session promoted to semi-trusted
2023-06-30 06:13:23 203.12.203.3:52774 Delayed exit in 5 seconds
2023-06-30 06:13:23 203.12.203.3:52774 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
2023-06-30 06:13:24 203.12.203.3:52774 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384
2023-06-30 06:13:24 203.12.203.3:52774 Peer Connection Initiated with [AF_INET]203.12.203.3:52774
2023-06-30 06:13:26 read UDPv4 [ECONNREFUSED]: Connection refused (fd=6,code=111)
2023-06-30 06:13:28 203.12.203.3:52774 SIGTERM[soft,delayed-exit] received, client-instance exiting
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_VER=2.5.9
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_PLAT=mac
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_PROTO=6
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_NCP=2
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZ4=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZ4v2=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_LZO=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_COMP_STUB=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_COMP_STUBv2=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_TCPNL=1
2023-06-30 06:15:20 203.12.203.3:57144 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5777_3.8.8b__build_5777)"
But I have configured the login user as givenName on the Grafana, Jumpserver, and Self Service Password systems. With the same username and password, I can successfully log in. Prove that the username and password for LDAP are correct. May I ask where the problem is with this?
The text was updated successfully, but these errors were encountered: