OpenVPN Active Directory integration

[lamacont]

Hi all,
I tested this in FreeBSD 9.1, 9.2 and 10 x64 versions.

Already upgraded ports.

Installed ports:
security/openvpn (version - 2.3.4)
security/openvpn-auth-ldap (version - 2.0.3)

My openvpn.conf file content:

plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/openvpn-auth-ldap.conf"
proto udp
port 1194
dev tun
server 192.168.150.0 255.255.255.0

ca /usr/local/etc/openvpn/keys/keys/ca.crt
cert /usr/local/etc/openvpn/keys/keys/openvpnserver.crt
key /usr/local/etc/openvpn/keys/keys/openvpnserver.key
client-cert-not-required
dh /usr/local/etc/openvpn/keys/keys/dh2048.pem
tls-auth /usr/local/etc/openvpn/keys/keys/ta.key 0

persist-key
persist-tun
keepalive 10 60

push "route 10.41.0.0 255.255.255.0"
topology subnet

user root
group wheel

daemon
log-append /var/log/openvpn.log

My /usr/local/etc/openvpn/openvpn-auth-ldap.conf file content:

<LDAP>
        URL             ldap://xxx.xx:389
        BindDN          XXX@XXX.XXX
        Password       XXXXXXXXXX
        Timeout         15
</LDAP>
<Authorization>
           BaseDN          "DC=atl,DC=lan"
           SearchFilter    "(&(sAMAccountName=%u)(memberOf=CN=mercurial,OU=mercurial,DC=xxx,DC=xx))"
</Authorization>

With ldapsearch I tested the LDAP configuration and it is successful.

When I tried to start OpenVPN from the command line with the command openvpn --config ad-auth.conf, I found the error in my log file below:

cat /var/log/openvpn.log
Sat Jun 21 14:36:37 2014 OpenVPN 2.3.4 amd64-portbld-freebsd9.2 [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun 21 2014
Sat Jun 21 14:36:37 2014 library versions: OpenSSL 0.9.8y 5 Feb 2013, LZO 2.06
Sat Jun 21 14:36:37 2014 PLUGIN_INIT: plugin initialization function failed: /usr/local/lib/openvpn-auth-ldap.so
Sat Jun 21 14:36:37 2014 Exiting due to fatal error

After that I searched the error

plugin initialization function failed: openvpn-auth-ldap.so

on Google and found bug about this: http://lists.freebsd.org/pipermail/free ... 56360.html

And I want to know if anybody found how I can fix this?
Thank you for answers.

 

[viniciusferrao]

You really need to use the security/openvpn-auth-ldap?

You could setup something like security/sssd and use PAM as authentication realm for OpenVPN.

 

[Oko]

I am very interested in the final solution. Please post.

 

[lamacont]

Why if for that have exactly port with name openvpn-auth-ldap. I tested this on CentOS. Not worked too. Just worked on Ubuntu 14.04.

Strange thing i tested this last time on FreeBSD 9.1 with old ports and with old versions OpenVPN and DC-plugin it is worked. But in old ports I need find a lots of things from internet because this ports is out of date.

 

[lamacont]

And there are old version OpenVPN with old version openvpn-auth-ldap.

And I have news about port security/openvpn-auth-radius too. Bad news . I wanted integrate OpenVPN with RADIUS. And after that integrate FreeRADIUS with DC . But bad news in openvpn-auth-radius port same thing happens.

 

[lamacont]

root@openvpn:/usr/ports/security/openvpn-auth-ldap # make install
===>  openvpn-auth-ldap-2.0.3_9 is marked as broken: Needs to be ported to a new Object base-class with +alloc..
*** [install] Error code 1

Stop in /usr/ports/security/openvpn-auth-ldap.
root@openvpn:/usr/ports/security/openvpn-auth-ldap # date
Wed Aug 27 21:16:12 AZST 2014

 

[NindyAyuW]

I just found this thread and it seems that I've double-posted (sorry). Anyway, this is mine https://forums.freebsd.org/threads/help-on-port-security-openvpn-auth-ldap.49844/#post-278680.

You should comment out the BROKEN and OBJCFLAGS+= line, and it will work just fine. I just tried it.