On Mon, Jul 12, 2021 at 12:17 PM Duarte Rocha <duarte.ro...@gmail.com> wrote: > > > On Fri, Jul 9, 2021 at 7:35 PM Gert Doering <g...@greenie.muc.de> wrote: > > > > Hi, > > > > On Fri, Jul 09, 2021 at 06:17:14PM +0100, Duarte Rocha wrote: > > > I'm loading the openvpn-auth-ldap.so for user validation and then > > > loading the duo plugin for 2FA. It works, except it has an unwanted > > > behaviour if a user is not on the allowed groups in LDAP the > > > openvpn-auth-ldap.so will fail but will still trigger the push > > > notification. Shouldn't the 2nd plugin not be called if the previous > > > ends with error? > > > > > > PLUGIN_CALL: POST > > > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY > > > status=1 > > > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > > > status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > > > PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY > > > status=2 > > > > Which openvpn version is that? > > > > Can you show a server log with --verb 3 of such an incoming connection? > > > > For 2.5, we reworked the logic for "there are multiple client-connect > > things, some succeed and one fails", but I'm not sure we ever looked > > at "there are multiple plugins loaded for USER_PASS_VERIFY and one > > of them fails" case. > > > > > > So I'm running the latest version available on the official Ubuntu > 20.04 LTS repo: > > OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021 > library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 > > Here is the Log: > > :36654 TLS: Initial packet from [AF_INET]5.249.74.39:36654, > sid=4f441add b9132837 > :36654 peer info: IV_VER=2.4.7 > :36654 peer info: IV_PLAT=linux > :36654 peer info: IV_PROTO=2 > :36654 peer info: IV_NCP=2 > :36654 peer info: IV_LZ4=1 > :36654 peer info: IV_LZ4v2=1 > :36654 peer info: IV_LZO=1 > :36654 peer info: IV_COMP_STUB=1 > :36654 peer info: IV_COMP_STUBv2=1 > :36654 peer info: IV_TCPNL=1 > LDAP user "duarte.ro...@gmail.com" was not found. > :36654 PLUGIN_CALL: POST > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY > status=1 > :36654 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY > failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > :36654 PLUGIN_CALL: POST > /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 > :36654 TLS Auth Error: Auth Username/Password verification failed for peer > :36654 WARNING: 'link-mtu' is used inconsistently, local='link-mtu > 1570', remote='link-mtu 1569' > :36654 WARNING: 'comp-lzo' is present in local config but missing in > remote config, local='comp-lzo' > :36654 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384 > :36654 Peer Connection Initiated with [AF_INET] 1.2.3.4:36654 > :36654 PUSH: Received control message: 'PUSH_REQUEST' > :36654 Delayed exit in 5 seconds > :36654 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) > :36654 SIGTERM[soft,delayed-exit] received, client-instance exiting > > > My Config file > > port 1194 > mode server > proto udp > dev tun > ca ca.crt > cert server.crt > key server.key > dh dh.pem > tls-auth ta.key 0 > topology subnet > server 10.0.90.0 255.255.255.0 > keepalive 10 120 > reneg-sec 0 > auth SHA256 > cipher AES-256-CBC > compress lz4-v2 > push "compress lz4-v2" > persist-key > persist-tun > management localhost 7505 > status /var/log/openvpn/openvpn-status.log > user nobody > group nogroup > log /var/log/openvpn/openvpn.log > log-append /var/log/openvpn/openvpn.log > verb 3 > explicit-exit-notify 1 > tls-exit > tls-version-min 1.2 > verify-client-cert none > plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth-ldap.conf" > plugin /opt/duo/duo_openvpn.so '*********** ******************** > api-***********.duosecurity.com' > tmp-dir "/etc/openvpn/tmp" > > I'm going to try version 2.5 in the meantime. >
Just tested with version: OpenVPN 2.5.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 17 2021 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Same behavior. -- Duarte Rocha <duarte.ro...@gmail.com> _______________________________________ Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
