> On Fri, Jul 9, 2021 at 7:35 PM Gert Doering <g...@greenie.muc.de> wrote: > > Hi, > > On Fri, Jul 09, 2021 at 06:17:14PM +0100, Duarte Rocha wrote: > > I'm loading the openvpn-auth-ldap.so for user validation and then > > loading the duo plugin for 2FA. It works, except it has an unwanted > > behaviour if a user is not on the allowed groups in LDAP the > > openvpn-auth-ldap.so will fail but will still trigger the push > > notification. Shouldn't the 2nd plugin not be called if the previous > > ends with error? > > > > PLUGIN_CALL: POST > > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY > > status=1 > > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > > status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > > PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY > > status=2 > > Which openvpn version is that? > > Can you show a server log with --verb 3 of such an incoming connection? > > For 2.5, we reworked the logic for "there are multiple client-connect > things, some succeed and one fails", but I'm not sure we ever looked > at "there are multiple plugins loaded for USER_PASS_VERIFY and one > of them fails" case. > >
So I'm running the latest version available on the official Ubuntu 20.04 LTS repo: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Here is the Log: :36654 TLS: Initial packet from [AF_INET]5.249.74.39:36654, sid=4f441add b9132837 :36654 peer info: IV_VER=2.4.7 :36654 peer info: IV_PLAT=linux :36654 peer info: IV_PROTO=2 :36654 peer info: IV_NCP=2 :36654 peer info: IV_LZ4=1 :36654 peer info: IV_LZ4v2=1 :36654 peer info: IV_LZO=1 :36654 peer info: IV_COMP_STUB=1 :36654 peer info: IV_COMP_STUBv2=1 :36654 peer info: IV_TCPNL=1 LDAP user "duarte.ro...@gmail.com" was not found. :36654 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 :36654 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so :36654 PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 :36654 TLS Auth Error: Auth Username/Password verification failed for peer :36654 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1569' :36654 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' :36654 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384 :36654 Peer Connection Initiated with [AF_INET] 1.2.3.4:36654 :36654 PUSH: Received control message: 'PUSH_REQUEST' :36654 Delayed exit in 5 seconds :36654 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) :36654 SIGTERM[soft,delayed-exit] received, client-instance exiting My Config file port 1194 mode server proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 topology subnet server 10.0.90.0 255.255.255.0 keepalive 10 120 reneg-sec 0 auth SHA256 cipher AES-256-CBC compress lz4-v2 push "compress lz4-v2" persist-key persist-tun management localhost 7505 status /var/log/openvpn/openvpn-status.log user nobody group nogroup log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 tls-exit tls-version-min 1.2 verify-client-cert none plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth-ldap.conf" plugin /opt/duo/duo_openvpn.so '*********** ******************** api-***********.duosecurity.com' tmp-dir "/etc/openvpn/tmp" I'm going to try version 2.5 in the meantime. -- Com os melhores cumprimentos -- Duarte Rocha <duarte.ro...@gmail.com> _______________________________________ Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
