Project

General

Profile

Actions

Bug #1037

closed

Openvpn broken when used with LDAPS backend

Added by Florent Daigniere about 11 years ago. Updated about 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
Start date:
11/24/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

The connection to LDAP fails if SSL is used

To get it to work, I had to add the following to /var/etc/openvpn/server1.php
putenv("LDAPTLS_CACERT=/var/etc/openvpn/server1.ca");
putenv("LDAPTLS_REQCERT=never");

Actions #1

Updated by Chris Buechler about 11 years ago

  • Category set to OpenVPN
Actions #2

Updated by Ermal Luçi about 11 years ago

  • Status changed from New to Feedback

Committed your suggestions to repo.
Thank you.

Actions #3

Updated by Florent Daigniere about 11 years ago

There seems to be an escaping problem, with your patch server1.php contains

sed: 2: "s/\/\/<template>/$authm ...": bad flag in substitute command: 'v'

The following works for me:

$sed .= "putenv(\"LDAPTLS_CACERT=\/var\/etc\/openvpn\/{$mode_id}.ca\");\\\n";
$sed .= "putenv(\"LDAPTLS_REQCERT=hard\");\\\n";

I didn't manage to get the other replacement string escaped properly

Actions #4

Updated by Ermal Luçi about 11 years ago

Try the latest snapshot and see if i got this right this time.

Actions #5

Updated by Florent Daigniere about 11 years ago

Nope. Still broken.

You are missing a semi-column in befad72821f522bf2c23a883f72ade8af48b8533.

-$sed .= " \$modeid = \"{$mode_id}\"";
+$sed .= " \$modeid = \"{$mode_id}\";";

With that fixed, it works.

By the way, you might also want to change LDAPTLS_REQCERT from never to hard everywhere (force the certificate verification). I am filling in another bug for it.

Actions #6

Updated by Florent Daigniere about 11 years ago

It's confirmed-working with 1bab0df1b7fd06ecb2818f69187214a70de238b9

The other bug I was referring to:
bug #1052: Certificate validation of the LDAPS servers is not enforced

Thanks :)

Actions #7

Updated by Chris Buechler about 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF