Yubico Forum

Re: Yubikey openVPN LDAP

2016-09-06T15:00:45+01:00

This also won't work (authenticate against ldap-server and yubikey), same error:
auth required pam_yubico.so ldap_uri=ldap://xxxxx id=xxx authfile=/usr/local/etc/openvpn/yubikey_mappings debug
ldapdn=dc=ad,dc=next-audience,dc=net
ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=mygroup,OU=DefaultUser,DC=adivser,DC=net))
ldap_bind_user=bind_user ldap_bind_password=bind_password try_first_pass
account required pam_yubico.so

Statistics: Posted by VedPac — Tue Sep 06, 2016 3:00 pm

Re: Yubikey openVPN LDAP

2016-09-06T14:56:34+01:00

Hi Spork,

thanks for th reply.

We want to use two factor authentication for OpenVPN using YubiKey.
That means openVPN will prompt a login (username/password), the user will authenticate against our LDAP-Server.
If it succeeded then authenticate again using Yubikey.

Here is the configs:

client.ovpn(client)
auth-user-pass

openvpn.conf (server)
plugin openvpn-plugin-auth-pam.so openvpn

/usr/local/etc/pam.d/openvpn:
auth required pam_yubico.so ldap_uri=ldap://ldap-srv debug id=[Your API Client ID] yubi_attr=pager
ldapdn=dc=ad,dc=next-audience,dc=net
ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=mygroup,OU=DefaultUser,DC=adivser,DC=net))
ldap_bind_user=bind_user ldap_bind_password=bind_password try_first_pass
account required pam_yubico.so

Regards
VedPac

Statistics: Posted by VedPac — Tue Sep 06, 2016 2:56 pm

Re: Yubikey openVPN LDAP

2016-09-06T14:39:17+01:00

Based on what you've written, it's unclear how openVPN fits into your planned setup. There is a separate PAM plugin for LDAP authentication that you don't seem to mention here. There's still another plugin for using the yubikey as the second factor (and another if you want to use u2f specifically).

Could you clarify your intentions a bit more so I know where to troubleshoot?

Statistics: Posted by SporkWitch — Tue Sep 06, 2016 2:39 pm

Yubikey openVPN LDAP

2016-09-06T07:56:07+01:00

Hello,

try according to
https://developers.yubico.com/yubico-pam/
to set-up 2-factor-authentifications on FreeBSD with: openVPN with LDAP-Authentification and Yubikey.

But get error message: PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1.
---
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 TLS: Initial packet from [AF_INET]172.23.3.8:35857, sid=159c136d 2cb1a27d
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 PLUGIN_CALL: POST openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: openvpn-plugin-auth-pam.so
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 Peer Connection Initiated with [AF_INET]172.23.3.8:35857
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 Delayed exit in 5 seconds
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]
Mon Sep 5 14:47:08 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]

Mon Sep 5 14:47:09 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]
Mon Sep 5 14:47:11 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]
Mon Sep 5 14:47:12 2016 172.23.3.8:35857 SIGTERM[soft,delayed-exit] received, client-instance exiting
---
openvpn.conf on Server:
plugin openvpn-plugin-auth-pam.so openvpn

If it changed to
plugin openvpn-plugin-auth-pam.so system-auth

then no error, but of it the authentification use local System user, which is not what I want: authetification against ldap server (1. factor) and Yubikey (2. factor).

Kind Regards
VedPac

Statistics: Posted by VedPac — Tue Sep 06, 2016 7:56 am