1 (edited by thanatos 2012-05-12 04:40:34)

Topic: OpenVPN auth LDAP with iRedMail slapd

I am trying to get OpenVPN 2.1.3-2 with openvpn-auth-ldap 2.0.3-1 to authenticate against slapd 2.4.23-7.2 on up-to-date Debian Squeeze and iRedMail 0.8.0.

/etc/dovecot/dovecot-ldap.conf (generated by iRedMail) has:
    user_filter     = (&(objectClass=mailUser)(accountStatus=active)(enabledService=mail)(enabledService=%Ls%Lc)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))

/etc/openvpn/auth/auth-ldap.conf has:
    BaseDN ((copied from /etc/dovecot/dovecot-ldap.conf))                                                                                                                                                    SearchFilter "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))"

openvpn log:
    LDAP search failed: Insufficient access
    LDAP user "postmaster@X.Y" was not found.
    ...PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
    ...PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so

slapd log:
    SRCH base="o=domains,dc=X,dc=Y" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn)(|(mail=postmaster@X.Y)(&(enabledService=shadowaddress)(shadowAddress=postmaster@X.Y))))"
    SEARCH RESULT tag=101 err=50 nentries=0 text=

Can anyone suggest a better searchfilter, or ask after other log lines?

P.S. The mail user has enabledService vpn according to phpldap.
P.P.S. the mail use is mail=postmaster@X.Y,ou=Users,domainName=X.Y,o=domains,dc=X,dc=Y

2

Re: OpenVPN auth LDAP with iRedMail slapd

Please show us the full LDAP related config in openvpn, and related log in OpenLDAP. not just the SRCH line.

3

Re: OpenVPN auth LDAP with iRedMail slapd

ZhangHuangbin wrote:

Please show us the full LDAP related config in openvpn, and related log in OpenLDAP. not just the SRCH line.

I should also point out that openvpn is running on a separate host from iredmail ... but I made a copy of iRedMail_CA.pm and the slapd connection is working. Also you will see that I left in the <Group> section but RequireGroup is false.

sanitized /etc/openvpn/auth/auth-ldap.conf:

<LDAP>
        URL             ldap://iredmail-host
        BindDN          "cn=vmail,dc=X,dc=Y"
        Password        PASSWORD
        Timeout         15
        TLSEnable       yes
        FollowReferrals yes
        TLSCACertFile   /etc/ssl/certs/iRedMail_CA.pem
        TLSCACertDir    /etc/ssl/certs
</LDAP>
<Authorization>
        BaseDN          "o=domains,dc=X,dc=Y"
        SearchFilter "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn)(|(mail=%u)(&(enabledService=shadowaddress)(shadowAddress=%u))))"
        RequireGroup    false
        <Group>
                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

relevant slapd log entries: (all with same conn=)

fd=35 ACCEPT from IP=(IP OF openvpn HOST):54552 (IP=0.0.0.0:389)
op=0 BIND dn="cn=vmail,dc=X,dc=Y" method=128
op=0 BIND dn="cn=vmail,dc=X,dc=Y" mech=SIMPLE ssf=0
op=0 RESULT tag=97 err=0 text=
op=1 EXT oid=1.3.6.1.4.1.1466.20037
op=1 STARTTLS
op=1 AUTHZ anonymous mech=starttls ssf=0
op=1 RESULT oid= err=0 text=
fd=35 TLS established tls_ssf=128 ssf=128
op=2 SRCH base="o=domains,dc=X,dc=Y" scope=2 deref=0 filter="(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn)(|(mail=postmaster@X.Y)(&(enabledService=shadowaddress)(shadowAddress=postmaster@X.Y))))"
op=2 SEARCH RESULT tag=101 err=50 nentries=0 text=
op=3 UNBIND
fd=35 closed

One thing that seems wrong is the "AUTHZ anonymous" ... but I have provided the same dn and dnpass as in dovecot-auth.log.

Thanks for looking!

4

Re: OpenVPN auth LDAP with iRedMail slapd

How about test with minimal LDAP filter like below:

        SearchFilter "(mail=%u)"

5

Re: OpenVPN auth LDAP with iRedMail slapd

Will try SearchFilter "(mail=%u)" today.

Would also like to point out that the LDAP db was imported from a 0.7.0 installation.

Thanks!

6

Re: OpenVPN auth LDAP with iRedMail slapd

thanatos wrote:

Would also like to point out that the LDAP db was imported from a 0.7.0 installation.

Did you update LDAP data by following iRedMail upgrade tutorials?
Here're scripts used to update LDAP data (mentioned in iRedMail upgrade tutorials):
https://bitbucket.org/zhb/iredmail/src/ … tra/update

Upgrading iRedMail-0.7.0 to 0.8.0 need two scripts:

* updateLDAPValues_072_to_073.py
* updateLDAPValues_074_to_080.py