Openvpn – Unable to login via PAM and ldap: failed to get password

active-directoryopenvpnpampam-ldap

I'm trying to have OpenVPN authenticate users via PAM over LDAP to an Active Directory server.

Here are the relevant parts of my configuration files:

/etc/openvpn/server.conf: 

# ...
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so ldap-login

/etc/nslcd.conf:

uri ldap://prod-adc1.mydomain.local
base DC=MyDomain,DC=Local
uid nslcd
gid ldap

/etc/pam.d/ldap-login:

auth      sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
auth      required    pam_deny.so
password  sufficient  pam_ldap.so minimum_uid=1000 use_first_pass
password  required    pam_deny.so

When I try authenticating, I see the following in the logs:

/var/log/secure:

Dec  4 22:22:42 localhost openvpn[25505]: pam_ldap(ldap-login:auth): failed to get password: Authentication failure

/var/log/messages:

Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS: Initial packet from [AF_INET]1.2.3.4:37503, sid=c2d806cc 5c7c7ace
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS Auth Error: Auth Username/Password verification failed for peer
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Dec  4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Peer Connection Initiated with [AF_INET]1.2.3.4:37503
Dec  4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 PUSH: Received control message: 'PUSH_REQUEST'
Dec  4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 Delayed exit in 5 seconds
Dec  4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Dec  4 22:38:36 localhost openvpn[25504]: 1.2.3.4:37503 SIGTERM[soft,delayed-exit] received, client-instance exiting

Have I configured PAM wrong? Is there something I'm missing in my login configuration?

EDIT: I'm able to login if I do the following:

ldapsearch -h prod-adc1.mydomain.local -b "DC=MyDomain,DC=Local" -x -D "naftuli.kay@mydomain.com" -W

How do I map this over to the PAM LDAP module to get OpenVPN logins working as expected?

Best Answer

It looks like you need to configure /etc/nslcd.conf with your binddn and bindpw.

See http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5

Hope this helps!

-Byron

Related Topic