OpenVPN LDAP Plugin doesn't run in asynchronous mode

[farvour]

Hello, there is an OpenVPN ticket regarding packet loss when auth plugins are used with OpenVPN.

https://community.openvpn.net/openvpn/ticket/585#no1

This plugin does not seem to contain the asychronous method calls?

[farvour]

I opened a PR for this issue #67 which I'm hoping helps solve this issue.

[kirik]

Had this weird packet losses. I found a workaround (actually solution) using auth-user-pass-verify script which support deferred auth since OpenVPN 2.5+.

Some source links:
https://community.openvpn.net/openvpn/ticket/222
https://github.com/waldner/openvpn-ldap

OpenVPN server config file:

...
script-security 3
auth-user-pass-verify /etc/openvpn/ldap_auth.sh via-env
...

Example of ldap_auth.sh script (use your <BINDDN> and <BASEDN>). ldapsearch should be installed where script will run.

#!/bin/bash

ourname=ldap_auth.sh
facility=auth

output=$(mktemp)
error=$(mktemp)

# child process - try simple shell backgrounding
(
  ldapsearch -h auth.local -D "cn=${username},<BASEDN>" -b "<BINDDN>" -s base "objectClass=*" 1.1 -w "${password}"  1>"${output}" 2>"${error}"

  # save exist status here, otherwise the following assignment resets $?
  status=$?

  if [ $status -ne 0 ]; then
    logger -p "${facility}.err" -t "${ourname}" "There was an error authenticating user ${username} against AD."
    logger -p "${facility}.err" -t "${ourname}" "The error was: $(tr '\n' ' ' < "${error}" )"  # turn multiline into single line
    echo "0" > "${auth_control_file}"
    exit 1
  fi

  # look for the "numEntries" line in the output of ldapsearch
  numentries=$(awk '/numEntries:/{ne = $3} END{print ne + 0}' "$output")

  if [ $numentries -eq 1 ]; then
    logger -p "${facility}.info" -t "{$ourname}" "User ${username} authenticated successfully"
    echo "1" > "${auth_control_file}"
    exit 0
  else
    logger -p "${facility}.err" -t "${ourname}" "User ${username} NOT authenticated (user not in group?)"
    echo "0" > "${auth_control_file}"
    exit 1
  fi
) &

# tell openvpn that auth will be deferred
exit 2

After using this you should see deferred auth messages in OpenVPN server log: Username/Password authentication deferred for username 'username'

Hope this will help

[Sispheor]

Thank you very much @kirik . We were facing the exact same issue.
And we replaced as well the module by a bash script.

Here is our version of the script that perform the check against 2 different DN (we have real user and service account)

#!/bin/bash
ourname=ldap_auth.sh
facility=auth

output=$(mktemp)
error=$(mktemp)

log_this () {
  echo "$1"
}

log_this "Connection from username: $username at $(date)"

exit_if_ok() {
  if [ $status -eq 0 ]; then
    numentries=$(awk '/numEntries:/{ne = $3} END{print ne + 0}' "$output")
    if [ $numentries -eq 1 ]; then
      log_this "User ${username} authenticated successfully"
      echo "1" > "${auth_control_file}"
      exit 0
    fi
  fi

}

# child process - try simple shell backgrounding
(
  # check email
  ldapsearch -x -H ldaps://ldap.domain:636 \
  -D "uid=${username},ou=People,o=domain.com" \
  -w "${password}" \
  -b "ou=People,o=domain.com" \
  "uid=${username}" 1>"${output}" 2>"${error}"
  status=$?
  exit_if_ok

  # # check service account
  ldapsearch -x -H ldaps://ldap.domaint:636 \
    -D "cn=${username},ou=Applications,o=domain.com" \
    -w "${password}" \
    -b "ou=Applications,o=domain.com" \
    "cn=${username}" 1>"${output}" 2>"${error}"
  status=$?
  exit_if_ok

  log_this "User ${username} NOT authenticated"
  echo "0" > "${auth_control_file}"
  exit 1

) &

# tell openvpn that auth will be deferred
exit 2