{"id":6325,"date":"2024-02-07T12:21:48","date_gmt":"2024-02-07T10:21:48","guid":{"rendered":"https:\/\/skeletor.org.ua\/?p=6325"},"modified":"2024-02-07T12:22:39","modified_gmt":"2024-02-07T10:22:39","slug":"openvpn-ldap-auth-%d0%bd%d0%b0-%d0%be%d1%81%d0%bd%d0%be%d0%b2%d1%96-%d0%b3%d1%80%d1%83%d0%bf","status":"publish","type":"post","link":"https:\/\/skeletor.org.ua\/?p=6325","title":{"rendered":"[OpenVPN] LDAP auth \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u0433\u0440\u0443\u043f"},"content":{"rendered":"\n<p>\u0420\u043e\u0437\u0433\u043b\u044f\u043d\u0435\u043c\u043e \u043b\u0438\u0448\u0435 \u0442\u0443 \u0447\u0430\u0441\u0442\u0438\u043d\u0443 \u044f\u043a\u0430 \u0441\u0442\u043e\u0441\u0443\u0454\u0442\u044c\u0441\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457 \u0443 <strong>LDAP<\/strong>. \u041e\u0442\u0436\u0435 \u0432 \u043a\u043e\u043d\u0444\u0456\u0433 \u0441\u0435\u0440\u0432\u0435\u0440\u0443 \u0434\u043e\u0434\u0430\u0454\u043c\u043e \u0442\u0430\u043a\u0435<\/p>\n\n\n\n<p><code>username-as-common-name <br>plugin \/usr\/lib\/openvpn\/openvpn-auth-ldap.so \/etc\/openvpn\/auth\/ldap.conf<\/code><\/p>\n\n\n\n<p>\u041f\u0435\u0440\u0448\u0438\u0439 \u0440\u044f\u0434\u043e\u043a \u043a\u0430\u0436\u0435, \u0449\u043e <strong>login <\/strong>\u0442\u0430\u043a\u0438\u0439 \u0441\u0430\u043c\u0438\u0439, \u044f\u043a \u0443 <strong>LDAP&#8217;\u0456<\/strong>, \u0430 \u0434\u0440\u0443\u0433\u0438\u0439 &#8211; \u043f\u0456\u0434\u043a\u043b\u044e\u0447\u0430\u0454 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u0438\u0439 \u043c\u043e\u0434\u0443\u043b\u044c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. \u0410 \u0442\u0435\u043f\u0435\u0440 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0434\u043b\u044f \u043c\u043e\u0434\u0443\u043b\u044e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457 <strong>\/etc\/openvpn\/auth\/ldap.conf<\/strong>:<\/p>\n\n\n<p><!--more--><\/p>\n<pre>&lt;LDAP&gt;\n    URL             ldaps:\/\/ldap.domain.com\n    BindDN          cn=svcuser,ou=services,dc=domain,dc=com\n    Password        superpass\n    Timeout         15\n    TLSEnable       no\n    FollowReferrals yes\n&lt;\/LDAP&gt;\n\n&lt;Authorization&gt;\n        BaseDN          \"ou=people,dc=domain,dc=com\"\n        SearchFilter    \"(&amp;(uid=%u)(objectclass=inetOrgPerson)(!(sn=BAD_*)))\"\n        RequireGroup    true\n        &lt;Group&gt;\n                BaseDN  \"ou=roles,dc=domain,dc=com\"\n                SearchFilter  \"(&amp;(objectclass=organizationalRole)(cn=remote))\"\n                MemberAttribute RoleOccupant\n        &lt;\/Group&gt;\n&lt;\/Authorization&gt;\n<\/pre>\n<p>\u0422\u0435\u043f\u0435\u0440 \u0432\u0441\u0456, \u0445\u0442\u043e \u0432 \u0433\u0440\u0443\u043f\u0456 <strong>remote<\/strong> \u043c\u0430\u044e\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e <strong>VPN<\/strong>. \u0412\u0430\u0436\u043b\u0438\u0432\u0438\u0439 \u043c\u043e\u043c\u0435\u043d\u0442, \u0449\u043e \u0442\u0443\u0442 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0441\u0430\u043c\u0435 \u0434\u043b\u044f \u0432\u0438\u043f\u0430\u0434\u043a\u0443 <strong>RoleOccupant<\/strong>, \u0431\u043e \u0454 \u0432\u0430\u0440\u0456\u0430\u043d\u0442 \u0434\u043b\u044f <strong>memberOf<\/strong>.<\/p>\n<p><!-- \/wp:post-content --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>\u041d\u0430 \u043a\u043b\u0456\u0454\u043d\u0442\u0456 \u0442\u0440\u0435\u0431\u0430 \u0434\u043e\u0434\u0430\u0442\u0438 \u0442\u0430\u043a\u0438\u0439 \u0440\u044f\u0434\u043e\u043a \u0443 \u043a\u043e\u043d\u0444\u0456\u0433 \u0434\u043b\u044f \u0437\u0430\u043f\u0438\u0442\u0443 <strong>login\/pass<\/strong>:<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><code>auth-user-pass<\/code><\/p>\n<p>\u041e\u0441\u044c \u043f\u0440\u0438\u043a\u043b\u0430\u0434\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457 (\u043d\u0435\u0443\u0441\u043f\u0456\u0448\u043d\u043e\u0457 \u0456 \u0443\u0441\u043f\u0456\u0448\u043d\u043e\u0457):<\/p>\n<pre>DAP bind failed: Invalid credentials\nIncorrect password supplied for LDAP DN \"uid=ivanov,ou=people,dc=domain,dc=com\".\nTue Nov  7 13:52:03 2023 us=229365 44.44.44.44:42299 PLUGIN_CALL: POST \/usr\/lib\/openvpn\/openvpn-auth-ldap.so\/PLUGIN_AUTH_USER_PASS_VERIFY status=1\nTue Nov  7 13:52:03 2023 us=229416 44.44.44.44:42299 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: \/usr\/lib\/openvpn\/openvpn-auth-ldap.so\nTue Nov  7 13:52:03 2023 us=229491 44.44.44.44:42299 TLS Auth Error: Auth Username\/Password verification failed for peer\n...\nTue Nov  7 14:15:32 2023 us=783997 33.33.33.33:41625 PLUGIN_CALL: POST \/usr\/lib\/openvpn\/openvpn-auth-ldap.so\/PLUGIN_AUTH_USER_PASS_VERIFY status=0\nTue Nov  7 14:15:32 2023 us=784194 33.33.33.33:41625 TLS: Username\/Password authentication succeeded for username 'shevchenko' [CN SET]\n<\/pre>","protected":false},"excerpt":{"rendered":"<p>\u0420\u043e\u0437\u0433\u043b\u044f\u043d\u0435\u043c\u043e \u043b\u0438\u0448\u0435 \u0442\u0443 \u0447\u0430\u0441\u0442\u0438\u043d\u0443 \u044f\u043a\u0430 \u0441\u0442\u043e\u0441\u0443\u0454\u0442\u044c\u0441\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457 \u0443 LDAP. \u041e\u0442\u0436\u0435 \u0432 \u043a\u043e\u043d\u0444\u0456\u0433 \u0441\u0435\u0440\u0432\u0435\u0440\u0443 \u0434\u043e\u0434\u0430\u0454\u043c\u043e \u0442\u0430\u043a\u0435 username-as-common-name plugin \/usr\/lib\/openvpn\/openvpn-auth-ldap.so \/etc\/openvpn\/auth\/ldap.conf \u041f\u0435\u0440\u0448\u0438\u0439 \u0440\u044f\u0434\u043e\u043a \u043a\u0430\u0436\u0435, \u0449\u043e login \u0442\u0430\u043a\u0438\u0439 \u0441\u0430\u043c\u0438\u0439, \u044f\u043a \u0443 LDAP&#8217;\u0456, \u0430 \u0434\u0440\u0443\u0433\u0438\u0439 &#8211; \u043f\u0456\u0434\u043a\u043b\u044e\u0447\u0430\u0454 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u0438\u0439 \u043c\u043e\u0434\u0443\u043b\u044c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. \u0410 \u0442\u0435\u043f\u0435\u0440 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0434\u043b\u044f \u043c\u043e\u0434\u0443\u043b\u044e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457 \/etc\/openvpn\/auth\/ldap.conf:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,13],"tags":[],"class_list":["post-6325","post","type-post","status-publish","format-standard","hentry","category-others","category-security"],"_links":{"self":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/6325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6325"}],"version-history":[{"count":2,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/6325\/revisions"}],"predecessor-version":[{"id":6327,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=\/wp\/v2\/posts\/6325\/revisions\/6327"}],"wp:attachment":[{"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/skeletor.org.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}