Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

standalone - ubuntu 18.04 - ldap error and config issue? #164

Open
loquanet opened this issue Jun 12, 2023 · 3 comments
Open

standalone - ubuntu 18.04 - ldap error and config issue? #164

loquanet opened this issue Jun 12, 2023 · 3 comments

Comments

@loquanet
Copy link

loquanet commented Jun 12, 2023

GO: go version go1.20.2 linux/amd64

Ran:
go run main.go -config config.yml ./wg-portal-amd64

Goal:

  1. Use AD as user authenticated wireguard.
  2. portal to download user configs for vpn, found theres no "tie/corelation" between a specific user and a peer in the wg0.conf of wireguard. I only see if a user is connected then as admin user in wg-portal I can download the config.
  3. How does a wg-portal non-admin user get a wireguard peer config to be assigned/associated with that user?
  4. How exactly does your go app make each peer in wg0.conf to know what each user config is when theres no allowed attributes or user=exampleuser or id=exampleuser, is invalid and will break wireguard wg0.conf!?

Error:
failed to bind user: LDAP Result Code 49 "Invalid Credentials": 80090308:
(The credentials are confirmed correct username and password perfectly)

Issue:

  1. Useless, edited the configuration.go but the app main.go didn't even read the configuration.go file.
  2. Workaround, I had to create a config.yml and place in the same directory as main.go and figure out how to run the app since your documentation is only docker based and no standalone documentation. Also doesn't include on how to run the app on boot as a service or included as needed.

Questions:

  1. What is the exact example of a binduser correct syntax to login to AD server? Is the below correct? The below is nuts and isn't a username. Why isn't the configuration.go being used by your app?
    LdapErr:cfg.LDAP.BindUser = "company\\ldap_wireguard"
  2. In config.yml, what does manageIPAddresses: true, actually manage the wg0 interface IP?
  3. Why isn't the configuration.go being applied, seems ignored? Why would I need both config.yml and configuration.go if they overlap config. When I don't include go run main.go config.yml I get an error that no config.yml is found.
  4. the wg-portal doesn't show users/tunnels/user-configs at all. Only shows when they are currently connected?

configuration.go:
cfg.LDAP.URL = "ldap://hla-dc2-hv.hlp.local:389"
cfg.LDAP.BaseDN = "DC=HLP,DC=LOCAL"
cfg.LDAP.StartTLS = true
//cfg.LDAP.BindUser = "company\\ldap_wireguard"
cfg.LDAP.BindUser = "admin@hlp.local"
cfg.LDAP.BindPass = "theuserpassword"
cfg.LDAP.EmailAttribute = "mail"
cfg.LDAP.FirstNameAttribute = "givenName"
cfg.LDAP.LastNameAttribute = "sn"
cfg.LDAP.PhoneAttribute = "telephoneNumber"
cfg.LDAP.GroupMemberAttribute = "memberOf"
cfg.LDAP.AdminLdapGroup = "CN=wgadmins,OU=Security Groups,OU=Mybusiness,DC=hlp,DC=LOCAL"
cfg.LDAP.LoginFilter = "(&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))"
cfg.LDAP.SyncFilter = "(&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))"
cfg.LDAP.SyncGroupFilter = ""

config.yml
core:
listeningAddress: :8123
externalUrl: https://wg.hlp.local
adminUser: admin@wg.local
adminPass: admin
editableKeys: true
createDefaultPeer: false
ldapEnabled: false
mailFrom: WireGuard VPN noreply@hlplanning.com
ldap:
url: ldap://192.168.6.211:389
dn: DC=hlp,DC=local
startTLS: false
certcheck: false
user: admin@hlp.local
pass: therealpasswordexample
adminGroup: CN=wgadmins,OU=Security Groups,OU=Mybusiness,DC=hlplanning,DC=LOCAL
database:
typ: sqlite
database: data/wg_portal.db
email:
host: smtp.gmail.com
port: 587
tls: true
user: test@gmail.com
pass: topsecret
wg:
devices:
- wg0
defaultDevice: wg0
configDirectory: /etc/wireguard
manageIPAddresses: true

@loquanet loquanet changed the title standalone - ubuntu 18.04 - make test fails too many errors standalone - ubuntu 18.04 - ldap error and config issue? Jun 13, 2023
@philippderdiedas
Copy link
Contributor

Regarding your questions, where does it say that it uses a configuration.go?
You should either use environment variables or a config.yml (or specify another file using CONFIG_FILE env. variable)

The LDAP bind user can be and the form of
user@domain or an LDAP bind dn like CN=User Name,CN=Users,DC=dom,DC=ai,DC=n.

You also supplied the wrong value ldapEnabled: false, it should be true.

@philippderdiedas
Copy link
Contributor

philippderdiedas commented Jul 2, 2023

It is also worth mentioning that you can vertically scroll in the readme (because GitHub sucks) and then see the description column under configuration options

@philippderdiedas
Copy link
Contributor

philippderdiedas commented Jul 2, 2023

and a systemd unit file is linked here.
You could remove the line EnvironmentFile and replace it with Environment="CONFIG_FILE=/path/to/config".

If you setup your wireguard interface using a wg-quick service you can replace After=... with After=wg-quick@wg0.service
assuming wg0 is your desired interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants