Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cannot make it working with google workspace #87

Open
ut0mt8 opened this issue Feb 16, 2022 · 7 comments
Open

cannot make it working with google workspace #87

ut0mt8 opened this issue Feb 16, 2022 · 7 comments

Comments

@ut0mt8
Copy link

ut0mt8 commented Feb 16, 2022
edited
Loading

Hi there,

I follow the configuration here https://support.google.com/a/answer/9089736?hl=en#zippy=%2Copenldap-ldapsearch-linux%2Copenvpn-community-version

My conf is

<LDAP>
        URL     ldaps://ldap.google.com:636
        Timeout         15
        TLSEnable  no
        FollowReferrals yes
        TLSCACertDir    /etc/ssl/certs
        TLSCertFile /etc/openvpn/keys/ldap-client.crt
        TLSKeyFile /etc/openvpn/keys/ldap-client.key
 </LDAP>

<Authorization>
      BaseDN "dc=mycorp,dc=com"
      SearchFilter "(uid=%u)"
      RequireGroup false
</Authorization>

with the plugin configured in openvpn I have a common error :

LDAP search failed: Can't contact LDAP server ((unknown error code))

tought using ldapsearch it worked well.
I ended using a shell script like this but this not very satisfying :

#!/bin/bash

export LDAPTLS_CIPHER_SUITE='NORMAL:!VERS-TLS1.3'
export LDAPTLS_CERT=/etc/openvpn/keys/ldap-client.crt
export LDAPTLS_KEY=/etc/openvpn/keys/ldap-client.key

readarray -t lines < $1

name=${lines[0]}
pass=${lines[1]}

base='dc=corp,dc=com'
host='ldaps://ldap.google.com'

dn=$(ldapsearch -LLL -H $host -b $base "(&(objectclass=posixAccount)(uid=$name))" dn 2>/dev/null | grep dn: | sed 's/dn: //')
ldapsearch -LLL -x -D "$dn" -w $pass -H $host -b $base -s sub "(uid=$name)" mail > /dev/null 2>&1

if [ "$?" = "0" ]; then
  echo "ok"
  exit 0
else
  echo "ko"
  exit 1
fi
@ut0mt8
Copy link
Author

ut0mt8 commented Feb 21, 2022

Replying to myself :

adding : TLS_CIPHER_SUITE NORMAL:!VERS-TLS1.3 to ldap.conf work

@luckyswede
Copy link

Hi, I have the exact same error. Do you mean that setting
TLSCipherSuite NORMAL:!VERS-TLS1.3
in the LDAP section of ldap.conf works for you?
That doesn't work for me.

@ut0mt8
Copy link
Author

ut0mt8 commented Feb 24, 2022

@luckyswede yes it work on debian 10.

the exact line is :

TLS_CIPHER_SUITE        NORMAL:!VERS-TLS1.3

@ut0mt8
Copy link
Author

ut0mt8 commented Feb 24, 2022

if no you can use my script which is doing pretty the same thing ;)

@luckyswede
Copy link

Ok thanks. Thats weird, openvpn-auth-ldap complains when starting up because it cannot parse the TLS_CIPHER_SUITE config entry, I had to change to TLSCipherSuite. But, that aint working :(
I'm on alpine tho, using an updated version of https://github.com/kylemanna/docker-openvpn/blob/master/Dockerfile

@luckyswede
Copy link

I was able to get it working using stunnel as a proxy (ref: https://support.google.com/a/answer/9089736?hl=en#stunnel&zippy=%2Copenvpn-community-version), and configure ldap to use stunnel instead of accessing google ldap directly.

@ismail-oc
Copy link

Ok thanks. Thats weird, openvpn-auth-ldap complains when starting up because it cannot parse the TLS_CIPHER_SUITE config entry, I had to change to TLSCipherSuite. But, that aint working :( I'm on alpine tho, using an updated version of https://github.com/kylemanna/docker-openvpn/blob/master/Dockerfile

Hi, referring to the documentation the variable is TLSCipherSuite, it works for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ut0mt8 @luckyswede @ismail-oc