-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldaps (TLS) with self signed certificate #65
Comments
I have similar problem, I have just added it to comments of issue 30. |
I was able to get this plugin working with a self-signed certificate by doing the following:
I noticed with a strace of the openvpn pid that the plugin was reading /etc/ldap/ldap.conf and ldaprc so I initially set 'TLS_REQCERT' to 'allow' within both but the plugin ignored it. Then I found the "Always require a valid certificate" definition within the source files. |
I followed the instructions. I made the adjustment in the makefile and recompiled the plugin and restarted the openvpn. Sadly, when I tried again, I got the same error, "LDAP bind failed immediately: Can't contact LDAP Server Unable to bind as user@mydomain.com. I am running plugin version 2.0.4. It works with the same credentials using the unencrypted LDAP. |
I found a simpler workaround that does not require a code change to lower the TLS requirement. In a nutshell: One needs to add the CA cert to the system's truststore. (In CentOS 8 I did this by copying it in pem format to /etc/pki/ca-trust/source/anchors/, and then ran the "update-ca-trust" command.) It looks like the plugin ignores the "TLSCACertFile" config setting, but as long as it's in the system's truststore it should work. If this is not sufficient to fix your connection issue, the good news is once this is is out of the way the plugin will be more verbose about the reason (in the openvpn logfile). Other issues that I needed to also fix were "EE certificate key too weak" (fixed by issuing a new cert for the AD server signed with a 2048-bit key this time*), and "hostname does not match peer certificate" (fixed by entering in the plugin's URL setting the exact same hostname present in the cert). * The "weak key" issue can also be worked around by lowering the TLS security level, here's a config line that worked for me to connect to an AD server signed with a 1024-bit key, though I wouldn't recommend it if you can user a stronger key instead:
|
After a entire afternoon search and test, I finally make this #77 work - to apply the patch by @k0ste, thanks and that's now a great plugin with your work!
|
I used REDHAT 7 and successfully move compiled lib to RHEL8. On RHEL8 I cannot compile it (issues with objC) Steps to recompile lib with patch: git clone https://github.com/guywyers/openvpn-auth-ldap #Install packages #install re2c package Apply patch #77 git clone https://github.com/k0ste/openvpn-auth-ldap-rfc2307 enter names manually to files for patching when asking: i.e src/TRAuthLDAPConfig.h etc install openvpn-auth-ldap ./regen.sh make compiled lib in src/ Plugin location I can succesfully connect with config above ( URL ldaps://ldap.example.com) without specify certs options. DC must have correct cert for FQDN: ldap.example.com For example it possible to generate cert and import with following commands: openssl genrsa -out dc1.key 2048 openssl req -new openssl x509 -req -in dc1.csr -CA /etc/openvpn/keys/easyrsa/pki/ca.crt -CAkey /etc/openvpn/keys/easyrsa/pki/private/ca.key -CAcreateserial -out dc1.crt -days 720 -sha256 openssl verify -CAfile /etc/openvpn/keys/easyrsa/pki/ca.crt /etc/openvpn/auth/12/dc1.crt Import dc1.pfs to DC |
I have an LDAP server (ApacheDS) running:
I connect to this server through various other systems (our code repo, jenkins, etc all authenticate over Encrypted ldaps protocol to it over port 10686 so I know the server is responding fine over TLS. It uses self-signed certs but that hasn't been an issue so far with other services connecting to it.
My openvpn logs don't give me much other than generic logging:
Different configs I've tried:
WORKS: (unencrypted)
DOES NOT WORK:
ALSO DOES NOT WORK:
ALSO DOES NOT WORK:
ALSO DOES NOT WORK:
The text was updated successfully, but these errors were encountered: