[PATCH] RFC2307 group support about openvpn-auth-ldap HOT 30 OPEN

Add:
LDAP's log
Dec  7 02:44:05 dir slapd[10536]: daemon: read active on 15
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=8 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=9 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: daemon: epoll: listen=10 active_threads=0 
tvp=zero
Dec  7 02:44:05 dir slapd[10536]: connection_get(15)
Dec  7 02:44:05 dir slapd[10536]: connection_get(15): got connid=11
Dec  7 02:44:05 dir slapd[10536]: connection_read(15): checking for input on 
id=11
Dec  7 02:44:05 dir slapd[10536]: conn=11 op=3 do_compare
Dec  7 02:44:05 dir slapd[10536]: >>> dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>
Dec  7 02:44:05 dir slapd[10536]: <<< dnPrettyNormal:
<cn=Jabber,ou=groups,dc=XXX,dc=local>, <cn=jabber,ou=groups,dc=XXX,dc=local>
Dec  7 02:44:05 dir slapd[10536]: conn=11 op=3 CMP
dn="cn=Jabber,ou=groups,dc=XXX,dc=local" attr="memberUid"
Dec  7 02:44:05 dir slapd[10536]: do_compare: dn
(cn=Jabber,ou=groups,dc=XXX,dc=local) attr (memberUid) value
(cn=shin.andrey,ou=users,dc=XXX,dc=local)

I think the value should be "shin.andrey" and no
"cn=shin.andrey,ou=users,dc=XXX,dc=local"

Howdy. The plugin expects groups to be the LDAP group format used in rfc2307bis,
ActiveDirectory, OpenDirectory, etc, where the group membership is specified by
including the full DN to the user's record.

The plugin could/should be extended to support rfc2307 posix groups.

How can we expand the plug?

Here's a patch that adds rfc2307 support. Applies to 2.0.3.

-Paul

You can enable the above patch by adding "RFC2307bis true/false" to the groups
section of your config.

Thanks for the patch! I will review it shortly.

Issue 9 has been merged into this issue.

This is my solution w/o plugin

add in openvpn.conf:
auth-user-pass-verify /etc/openvpn/auth-ldap.pl via-env

cat /etc/openvpn/auth-ldap.pl
#!/usr/bin/perl -w
use Net::LDAP;
use strict;

my $ldap;
my $result;

my $opt_uri = "dir.XXX.local";
my $opt_user = $ENV{'username'};
my $opt_passwd = $ENV{'password'};
my $opt_common = $ENV{'common_name'};
my $opt_group = "cn=VPN,ou=groups,dc=XXX,dc=local";
my $opt_binddn = "cn=".$opt_user.",ou=users,dc=XXX,dc=local";

$ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!");

$result = $ldap->bind($opt_binddn, password=>$opt_passwd);
$result->code and die($result->error);
$result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$opt_user))");
$result->code();
if ($result->count == 1) { exit 0; }
unless($result->count){ exit 1; }

Issue 15 has been merged into this issue.

I tested the patch in a dev scenario, and it appears to be working well so far.
Thanks plrca2.
:)

I was having to use openldap-pam and nss_ldap to get group comparisons working. 
This
is much better, as I don't really want to 'pollute' the system login with ldap 
data
(it is just a vpn endpoint, and shouldn't have shell users logging in).

how do i aply the patch

i have installed openvpn-auth-ldap-2.0.3-3.el5.i386 from el repo on centos

the plugin works fine if I set RequireGroup to false.

If if set RequireGroup to true then it stops working

so the problem is in the authorization part of groups

please see a copy of my config

<Authorization>
        # Base DN
        BaseDN          "dc=example,dc=com"

        # User Search Filter
        SearchFilter    "uid=%u"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "cn=test"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>


i'm using openldap for this.

could you please confirm that this is duable?

if so could anyone help? please 

Hi!

Has the patch been accepted?
Will there be a new release with this patch applied?

Regards.

[deleted comment]

I have built a RPM for RHEL/CentOS 5 x86_64 with the rfc2307 patch(see comment 
#4) applied. 

Also, a source rpm is provided. you are build it for other platform.

Many thanks to Paul for this patch.

Why this patch is still pending? Many other project has similiar switch.

Take a look at AuthLdapGroupAttributeIsDN in mod_authnz_ldap for apache:

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapgroupattribute
isdn

we are affected by this too and have to go back to using pam_ldap instead. we 
will be watching this space ;-)

[deleted comment]

This is old but it needs some resurrection as it has driven me to the brink of 
insanity.  After installing the patched version via the RPM that Paul built 
(thanks) there are still issues with the MemberAttribute type.  Here is my 
bob.local OpenVPN Group config:


<Authorization>
        # Base DN
        BaseDN          "ou=People,dc=bob,dc=local"

        # User Search Filter
        SearchFilter    "(&(uid=%u))"
        #(accountStatus=active))"

        # Require Group Membership
        RequireGroup    true

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

        <Group>
                # Match full user DN if true, uid only if false
                RFC2307bis      true

                BaseDN          "ou=Groups,dc=bob,dc=local"
                SearchFilter    "(|(cn=vpn))"
                MemberAttribute  uniqueMember #What ACTUAL attribute goes here??!?!?
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng
        </Group>
</Authorization>

With that the connection binds find, finds the user in the vpn group and 
returns only 1 entry, but bails out on the MemberAttribute.  In the LDAP logs 
it shows err=16: "slapd[2783]: conn=3504 op=3 RESULT tag=111"  The OpenLdap 
admin manual says that this is a "noSuchAttribute (16) -- Indicates that the 
named entry does not contain the specified attribute or attribute value."  I 
tried looking up attributes for the group but when I tried something like 
gid=1013, it still errored out.  This is Centos 5.8 OpenVPN 2.2.2-1.  Can 
anyone help/clarify this?

Hi, I just instal my vpn server abd ofund this issue I have:

openvpn-auth-ldap-2.0.3-6.el6.x86_64
openvpn-2.3.2-2.el6.x86_64
On Centos 6.5 

I did downloaded the patch and recompiled the rpm, I set the flag  RFC2307bis  
TRUE, but I still get authentication issues whenevr I have the requiregroup set 
to true.


Any inputs on this as it seems this issue is quite old, originally reported on 
2008. 5 yrs ago.

Thank you.

I had the same issue, the patch still works with Debian's 
openvpn-auth-ldap-2.0.3.
I use Gosa and I had to apply the patch to have group authorization.
I created a Debian patch and rebuilt the package.

# apt-get build-dep openvpn-auth-ldap
# apt-get source openvpn-auth-ldap
$ cd openvpn-auth-ldap-...
$ quilt import -P RFC2307.patch ../auth-ldap-rfc2307.patch
$ quit push
$ dpkg-buildpackage -us -uc
$ cd ..
# dpkg -i ...

Then modify the config as described in comments above.

Hey netantho,

Is your ldap group authentication working?
When you say "Then modify the config as described in comments above", which 
comments do you mean?
Could you show us your successful configuration for the <Group> section?
Thanks!

thanks for the patch... it works great!

Anyone get this working with open ldap?
I can authenticate perfectly if I set the "RequireGroup" to false.
I'm thinking it is the syntax difference in using Open Directory (Mac OS X 
10.6.8 Server).

Are binary packages for this patch planned?

Thank you and regards, Giulio

I attach binary packages for Ubuntu 10.04 LTS lucid and Ubuntu 12.04 LTS 
precise, they could be useful for someone else!

They were prepared following the steps from comment #21.

I have a question,if domain account binding the hostname on the domain 
controller,so cann't login OpenVPN  
please help me