Hello All, I would like to use OpenVPN with Samba 4 AD using the LDAP Auth plugin. However, my tests come up with the following errors in the OpenVPN... LDAP bind failed: Strong(er) authentication required (BindSimple: Transport encryption required.) Unable to bind as CN=VPN Connect,CN=Users,DC=MYDOMAIN,DC=COM LDAP connect failed. PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so TLS Auth Error: Auth Username/Password verification failed for peer Has anyone else used OpenVPN with Samba 4 AD and if so, can I see your sanitised config please? Samba 4.7.6+dfsg~ubuntu-0ubuntu2.15 OpenVPN 2.3.10-1ubuntu2.2 Thanks, Paully
Hi Paul, Le 01/03/2020 ? 12:01, Paul Littlefield via samba a ?crit?:> However, my tests come up with the following errors in the OpenVPN... > > > LDAP bind failed: Strong(er) authentication required (BindSimple: > Transport encryption required.)I think you must add in the [Global] section of your DC : ldap server require strong auth = no -- Manu
Hi Paul, Le 03/01/2020 ? 12:01 PM, Paul Littlefield via samba a ?crit :> Hello All, > > I would like to use OpenVPN with Samba 4 AD using the LDAP Auth plugin. > > However, my tests come up with the following errors in the OpenVPN... > > > LDAP bind failed: Strong(er) authentication required (BindSimple: > Transport encryption required.)It means you have the "ldap server require strong auth = yes" in your conf (it is the default value and it is good like that), and it refuse simple bind over plain connection. You can disable it by switching to "no", or better, install SSL/TLS certificates that your openvpn server trusts (internal CA, letencrypts or commercial certificate). Note if you are using sasl over ssl/tls for your auth you might have to use "allow_sasl_over_tls" value for that parameter instead of yes (I guess because of channel binding issue).> Unable to bind as CN=VPN Connect,CN=Users,DC=MYDOMAIN,DC=COM > LDAP connect failed. > PLUGIN_CALL: POST > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > TLS Auth Error: Auth Username/Password verification failed for peer > > > Has anyone else used OpenVPN with Samba 4 AD and if so, can I see your > sanitised config please? > > Samba 4.7.6+dfsg~ubuntu-0ubuntu2.154.7.6 is an old version that is no more maintained. Better get the lastest and shiniest version soon :-) Cheers, Denis> OpenVPN 2.3.10-1ubuntu2.2 > > Thanks, > > Paully >-- Denis Cardon Tranquil IT 12 avenue Jules Verne (Bat. A) 44230 Saint S?bastien sur Loire (FRANCE) tel : +33 (0) 240 975 755 http://www.tranquil.it Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/ Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
Am 01.03.20 um 12:01 schrieb Paul Littlefield via samba:> Hello All, > > I would like to use OpenVPN with Samba 4 AD using the LDAP Auth plugin. > > However, my tests come up with the following errors in the OpenVPN... > > > LDAP bind failed: Strong(er) authentication required (BindSimple: > Transport encryption required.) > Unable to bind as CN=VPN Connect,CN=Users,DC=MYDOMAIN,DC=COM > LDAP connect failed. > PLUGIN_CALL: POST > /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 > PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with > status 1: /usr/lib/openvpn/openvpn-auth-ldap.so > TLS Auth Error: Auth Username/Password verification failed for peer > > > Has anyone else used OpenVPN with Samba 4 AD and if so, can I see your > sanitised config please?I have a working setup with OpenVPN on a pfsense-2.4.4p3 authenticating against Samba4 AD. The tricky and important part is to get the certs and hostnames right: the openvpn server contacts the/one AD DC via hostname and the DC replies with its cert. The hostname contacted must match the hostname in the cert etc And you have to make openvpn trust that cert. - "ldap server require strong auth = no" helps to work around this, I assume. But it's safer to do it right, even when it's more hassle ;-)