[Samba] OpenVPN using LDAP Auth and Samba 4 AD

[Denis Cardon]

Hi Paul,

Le 03/01/2020 à 12:01 PM, Paul Littlefield via samba a écrit :
> Hello All,
>
> I would like to use OpenVPN with Samba 4 AD using the LDAP Auth plugin.
>
> However, my tests come up with the following errors in the OpenVPN...
>
>
> LDAP bind failed: Strong(er) authentication required (BindSimple:
> Transport encryption required.)

It means you have the "ldap server require strong auth = yes" in your 
conf (it is the default value and it is good like that), and it refuse 
simple bind over plain connection. You can disable it by switching to 
"no", or better, install SSL/TLS certificates that your openvpn server 
trusts (internal CA, letencrypts or commercial certificate).

Note if you are using sasl over ssl/tls for your auth you might have to 
use "allow_sasl_over_tls" value for that parameter instead of yes (I 
guess because of channel binding issue).

> Unable to bind as CN=VPN Connect,CN=Users,DC=MYDOMAIN,DC=COM
> LDAP connect failed.
> PLUGIN_CALL: POST
> /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
> PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with
> status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
> TLS Auth Error: Auth Username/Password verification failed for peer
>
>
> Has anyone else used OpenVPN with Samba 4 AD and if so, can I see your
> sanitised config please?
>
> Samba 4.7.6+dfsg~ubuntu-0ubuntu2.15

4.7.6 is an old version that is no more maintained. Better get the 
lastest and shiniest version soon :-)

Cheers,

Denis

> OpenVPN 2.3.10-1ubuntu2.2
>
> Thanks,
>
> Paully
>

-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr