Any idea if we can change the plugin call behavior? On Mon, Jul 12, 2021 at 12:24 PM Duarte Rocha <duarte.ro...@gmail.com> wrote: > > On Mon, Jul 12, 2021 at 12:17 PM Duarte Rocha <duarte.ro...@gmail.com> wrote: > > > > > On Fri, Jul 9, 2021 at 7:35 PM Gert Doering <g...@greenie.muc.de> wrote: > > > > > > Hi, > > > > > > On Fri, Jul 09, 2021 at 06:17:14PM +0100, Duarte Rocha wrote: > > > > I'm loading the openvpn-auth-ldap.so for user validation and then > > > > loading the duo plugin for 2FA. It works, except it has an unwanted > > > > behaviour if a user is not on the allowed groups in LDAP the > > > > openvpn-auth-ldap.so will fail but will still trigger the push > > > > notification. Shouldn't the 2nd plugin not be called if the previous > > > > ends with error? > > > > > > > > PLUGIN_CALL: POST > > > > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY > > > > status=1 > > > > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > > > > status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > > > > PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY > > > > status=2 > > > > > > Which openvpn version is that? > > > > > > Can you show a server log with --verb 3 of such an incoming connection? > > > > > > For 2.5, we reworked the logic for "there are multiple client-connect > > > things, some succeed and one fails", but I'm not sure we ever looked > > > at "there are multiple plugins loaded for USER_PASS_VERIFY and one > > > of them fails" case. > > > > > > > > > > So I'm running the latest version available on the official Ubuntu > > 20.04 LTS repo: > > > > OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > > [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021 > > library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 > > > > Here is the Log: > > > > :36654 TLS: Initial packet from [AF_INET]5.249.74.39:36654, > > sid=4f441add b9132837 > > :36654 peer info: IV_VER=2.4.7 > > :36654 peer info: IV_PLAT=linux > > :36654 peer info: IV_PROTO=2 > > :36654 peer info: IV_NCP=2 > > :36654 peer info: IV_LZ4=1 > > :36654 peer info: IV_LZ4v2=1 > > :36654 peer info: IV_LZO=1 > > :36654 peer info: IV_COMP_STUB=1 > > :36654 peer info: IV_COMP_STUBv2=1 > > :36654 peer info: IV_TCPNL=1 > > LDAP user "duarte.ro...@gmail.com" was not found. > > :36654 PLUGIN_CALL: POST > > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY > > status=1 > > :36654 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY > > failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > > :36654 PLUGIN_CALL: POST > > /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 > > :36654 TLS Auth Error: Auth Username/Password verification failed for peer > > :36654 WARNING: 'link-mtu' is used inconsistently, local='link-mtu > > 1570', remote='link-mtu 1569' > > :36654 WARNING: 'comp-lzo' is present in local config but missing in > > remote config, local='comp-lzo' > > :36654 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384 > > :36654 Peer Connection Initiated with [AF_INET] 1.2.3.4:36654 > > :36654 PUSH: Received control message: 'PUSH_REQUEST' > > :36654 Delayed exit in 5 seconds > > :36654 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1) > > :36654 SIGTERM[soft,delayed-exit] received, client-instance exiting > > > > > > My Config file > > > > port 1194 > > mode server > > proto udp > > dev tun > > ca ca.crt > > cert server.crt > > key server.key > > dh dh.pem > > tls-auth ta.key 0 > > topology subnet > > server 10.0.90.0 255.255.255.0 > > keepalive 10 120 > > reneg-sec 0 > > auth SHA256 > > cipher AES-256-CBC > > compress lz4-v2 > > push "compress lz4-v2" > > persist-key > > persist-tun > > management localhost 7505 > > status /var/log/openvpn/openvpn-status.log > > user nobody > > group nogroup > > log /var/log/openvpn/openvpn.log > > log-append /var/log/openvpn/openvpn.log > > verb 3 > > explicit-exit-notify 1 > > tls-exit > > tls-version-min 1.2 > > verify-client-cert none > > plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth-ldap.conf" > > plugin /opt/duo/duo_openvpn.so '*********** ******************** > > api-***********.duosecurity.com' > > tmp-dir "/etc/openvpn/tmp" > > > > I'm going to try version 2.5 in the meantime. > > > > Just tested with version: > > OpenVPN 2.5.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] > [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 17 2021 > library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 > > Same behavior. > > > -- > > Duarte Rocha <duarte.ro...@gmail.com> > _______________________________________ > Programming today is a race between software > engineers striving to build bigger and better > idiot-proof programs, and the Universe trying to > produce bigger and better idiots. > So far, the Universe is winning.
-- Com os melhores cumprimentos -- Duarte Rocha <duarte.ro...@gmail.com> _______________________________________ Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
