• 9
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

OpenVPN with LDAP over TLS (ldaps)

OpenVPN is using openvpn-auth-ldap plugin

I have an LDAP server (ApacheDS) running:

Open/Clear - ldap://server.example.com:10399

Encrypted - ldaps://server.example.com:10686

I can connect and authenticate without issue over clear text (unencrypted) but cannot seem to communicate with the server over TLS.

I connect to this server over TLS through various other systems (our code repo, jenkins, etc all authenticate over Encrypted ldaps protocol to it over port 10686 so I know the server is responding fine over TLS. It uses self-signed certs but that hasn't been an issue so far with other services connecting to it.

Based on the log files below, it seems the TLSEnable directive triggers the StartTLS function which I do not want. Regardless I've still experimented with using it...

Different configs I've tried:

WORKS: (unencrypted)

<LDAP>
        URL             ldap://server.example.com:10399
        Timeout         10
        TLSEnable       no
        FollowReferrals yes
</LDAP>

DOES NOT WORK:

<LDAP>
        URL             ldaps://server.example.com:10686
        Timeout         10
        TLSEnable       yes
        FollowReferrals yes
</LDAP>

Log:

Nov 28 18:05:47 openvpn1 ovpn-server[3282]: Unable to enable STARTTLS: Can't contact LDAP server
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: LDAP connect failed.
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 TLS Auth Error: Auth Username/Password verification failed for peer
Nov 28 18:05:47 openvpn1 ovpn-server[3282]: x.x.x.x:19939 SIGTERM[soft,auth-control-exit] received, client-instance exiting

ALSO DOES NOT WORK:

<LDAP>
        URL             ldaps://server.example.com:10686
        Timeout         10
        TLSEnable       no
        FollowReferrals yes
</LDAP>

Log:

Nov 28 18:17:42 openvpn1 ovpn-server[3412]: LDAP search failed: Can't contact LDAP server ((unknown error code))
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: LDAP user "myuser" was not found.
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: x.x.x.x:20248 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: x.x.x.x:20248 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:17:42 openvpn1 ovpn-server[3412]: x.x.x.x:20248 TLS Auth Error: Auth Username/Password verification failed for peer

ALSO DOES NOT WORK:

<LDAP>
        URL             ldap://server.example.com:10686
        Timeout         10
        TLSEnable       yes
        FollowReferrals yes
</LDAP>

Log:

Nov 28 18:02:47 openvpn1 ovpn-server[3232]: Unable to enable STARTTLS: Can't contact LDAP server
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: LDAP connect failed.
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: x.x.x.x:22910 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: x.x.x.x:22910 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:02:47 openvpn1 ovpn-server[3232]: x.x.x.x:22910 TLS Auth Error: Auth Username/Password verification failed for peer
Nov 28 18:02:48 openvpn1 ovpn-server[3232]: x.x.x.x:22910 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Nov 28 18:02:48 openvpn1 ovpn-server[3232]: x.x.x.x:22910 Peer Connection Initiated with [AF_INET]108.47.9.178:22910
Nov 28 18:02:48 openvpn1 ovpn-server[3232]: x.x.x.x:22910 SIGTERM[soft,auth-control-exit] received, client-instance exiting

ALSO DOES NOT WORK:

<LDAP>
        URL             ldap://server.example.com:10686
        Timeout         10
        TLSEnable       no
        FollowReferrals yes
</LDAP>

Log:

Nov 28 18:21:07 openvpn1 ovpn-server[3462]: LDAP search failed: Can't contact LDAP server
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: LDAP user "myuser" was not found.
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: x.x.x.x:2946 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: x.x.x.x:2946 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-ldap.so
Nov 28 18:21:07 openvpn1 ovpn-server[3462]: x.x.x.x:2946 TLS Auth Error: Auth Username/Password verification failed for peer
      • 2
    • isnt the port should be 10399 in the example with ldap:// and TLSEnable yes. 'TLSEnable yes' is supposed to enable STARTTLS, so you connect first on port 10399 and start TLS second.
    • Thanks. This is just LDAPS, it doesn't use STARTTLS. Due to this, I believe I should be using ldaps:// and TLSEnable=no -- does that sound right? I'll attempt it as you mentioned regardless. I learned the difference between ldaps and startTLS through this config troubleshooting so it's a new topic for me.
      • 1
    • Appreciate the input. With that I get the same Unable to enable STARTTLS: Connect error ((unknown error code)) I think the directive TLSEnable turns on StartTLS which my LDAP server doesn't use. Server has simple TLS on port 10686 which is how I have other services connected to it.
    • you should be able to enable STARTTLS on ApacheDS, actually it's more favorable, as ldaps is being deprecated, it's probably in advanced LDAP/LDAPS configuration.

Trending Tags