FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Server Development

 
 
LinkBack Thread Tools
 
Old 06-25-2010, 10:39 PM
Eric Peters
 
Default VPN help suggestions

Hey all,
�� �I thought I would never ask for help on here, it's more the other way around I'm the one helping out. Anyway here is what I have run into. I'm trying to get a simple VPN connection up and authenticate to a�separate��Radius server. Being that most of the clients are going to Winblows and to make it easy for the users to setup, my thought was to use PPTPD (poptop) with Radius. I spent a solid 8 hours trying to get PPTPD to authenticate to the Radius server but PPTPD isn't sending anything to the Radius server it works great with chap-secrets though. The Radius server is not the issue because it works great and is authenticating via LDAPS and I can authenticate on the same server I'm setting up the PPTPD server on via PAM. For example:

Adding the bellow line to /etc/pam.d/sshdauth � � � � � �sufficient � � �pam_radius_auth.so debug
I can ssh in and authenticate via Radius, my Radius logs show the connection and everything is happy. But on the same server PPTPD won't have anything to do with it. Now have also tried this on�separate�servers as well; with them running Ubuntu 9.4 to 10.4 with the same result, no packets are being sent to the Radius server. I have posted this to the POPTOP mail list and Ubuntu forums but all has been quiet.

So I trashed that Idea because I spent too much time on it, and there is always another way to skin a cat. So I started down the OpenVPN route and use the PAM plugin they provide since I know my PAM and Radius are happy together. I got a test server up authenticating via certs. "Great!!!" Time to get it authenticating with the openvpn-pam plugin. Well not so fast: When I�enable�the PAM plugin in the OpenVPN server and try to start it, OpenVPN throws a segfault��kernel: [3725586.167177] openvpn[28364]: segfault at 0 ip 00007fd6e5e38fb4 sp 00007fff434f18f0 error 4 in openvpn-auth-pam.so[7fd6e5e38000+3000] � Ugggg I can't win for loosing. Google turns up no joy on Segfaults with�openvpn-auth-pam.so. So I'm back to square one.

Anybody have any other�suggestions�I can try? I'm pretty much at my wits end with this one, and stuck. Just not sure what to try next. Does anyone have a working PPTPD via Radius config they would like to share? I might be missing something, but I have been over things a couple two three times the past couple of days. Here is my�original�post about my PPTPD issue.�http://ubuntuforums.org/showthread.php?t=1517219�again any help at this point and time would be GREAT.

Thanks for your time,Eric



--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 06-26-2010, 12:08 AM
Serge van Ginderachter
 
Default VPN help suggestions

On 26 June 2010 00:39, Eric Peters <eric@linuxsystems.net> wrote:


Anybody have any other*suggestions*I can try?
I have set up OpenVPN with password athentication to Active Directory. I'll paste you my notes on this setup.
See also #
http://www.matthardy.info/2009/configure-openvpn-to-authenticate-against-active-directory-ldap-in-linux/



openvpn.conf file:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so
auth-ldap.cfg

auth-ldap.cfg for windows active directory



<LDAP>**
* * *# LDAP server URL** * * *URL * * * * * *
ldap://zeus.COMPANY.be
** * * *# Bind DN (If your LDAP
server doesn't support anonymous binds)** * * *BindDN * * * *
*"CN=OpenVPN,OU=Service Accounts,DC=COMPANY,DC=be"
**
* * *# Bind Password** * * *# Password * * *SecretPassword**
* * *Password * * ** XXXXXXXXXX
** * * *# Network timeout
(in seconds)** * * *Timeout * * * * 15
** * *
*# Enable Start TLS** * * *#TLSEnable * * *yes** *
* *TLSEnable * * * no
</LDAP>
<Authorization>
**
* * *# For active directory, I used sAMAccountName to search by
username** * * *# I also configured the original search
filter to contain the group membership, instead of using the**
* * *# RequireGroup directive below
** * * *# Base DN**
* * *BaseDN * * * * *"OU=Accounts,DC=COMPANY,DC=be"
** *
* *# User Search Filter** * * *#SearchFilter *
"(&(uid=%u)(accountStatus=active))"** * * *SearchFilter *
*"(&(sAMAccountName=%u)(memberOf= cn=VPN_Access,OU=Security
Groups,OU=Accounts,DC=COMPANY,DC=be))"
** * * *# Require
Group Membership** * * *RequireGroup * *false
</Authorization>

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 06-26-2010, 01:44 AM
Eric Peters
 
Default VPN help suggestions

Thanks Serge, don't think that is going to work for my situation. Little more background on what I'm doing. We are going two factor authentication. Using RSA SecureID, and I'm using RSA's built in Radius server. I have all my servers sucessfuly doing auth via Radius and the PAM mod. I also have all my windoze clients working as well. The last piece in the puzzle is my road warriors, and thought it would be a snap with PPTPD heh.

Next step; I'm going to purge PPTPD and radiusclient-ng and build from source. Could be something wrong with the packages, and I want to verify that hypothesis by building from source first, before even thinking of tracing down a possible bug. I just don't see many issues relating to my issue.

Busy weekend so I might not get to it till Monday.
Cheers,Eric
Sent from my iPhone
On Jun 25, 2010, at 5:08 PM, Serge van Ginderachter <serge@vanginderachter.be> wrote:




On 26 June 2010 00:39, Eric Peters <eric@linuxsystems.net> wrote:



Anybody have any other*suggestions*I can try?
I have set up OpenVPN with password athentication to Active Directory. I'll paste you my notes on this setup.
See also #
http://www.matthardy.info/2009/configure-openvpn-to-authenticate-against-active-directory-ldap-in-linux/




openvpn.conf file:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so
auth-ldap.cfg

auth-ldap.cfg for windows active directory




<LDAP>**
* * *# LDAP server URL** * * *URL * * * * * *
ldap://zeus.COMPANY.be
** * * *# Bind DN (If your LDAP
server doesn't support anonymous binds)** * * *BindDN * * * *
*"CN=OpenVPN,OU=Service Accounts,DC=COMPANY,DC=be"
**
* * *# Bind Password** * * *# Password * * *SecretPassword**
* * *Password * * ** XXXXXXXXXX
** * * *# Network timeout
(in seconds)** * * *Timeout * * * * 15
** * *
*# Enable Start TLS** * * *#TLSEnable * * *yes** *
* *TLSEnable * * * no
</LDAP>
<Authorization>
**
* * *# For active directory, I used sAMAccountName to search by
username** * * *# I also configured the original search
filter to contain the group membership, instead of using the**
* * *# RequireGroup directive below
** * * *# Base DN**
* * *BaseDN * * * * *"OU=Accounts,DC=COMPANY,DC=be"
** *
* *# User Search Filter** * * *#SearchFilter *
"(&(uid=%u)(accountStatus=active))"** * * *SearchFilter *
*"(&(sAMAccountName=%u)(memberOf= cn=VPN_Access,OU=Security
Groups,OU=Accounts,DC=COMPANY,DC=be))"
** * * *# Require
Group Membership** * * *RequireGroup * *false
</Authorization>


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 06-28-2010, 03:53 PM
Eric Peters
 
Default VPN help suggestions

*SOLVED*
Ok it was something stupid in the pptpd config, and thanks to*Spacelee who pointed me in the right direction making sure Cleartext was enabled "*require-pap " thanks all who replied =)


Cheers,Eric


On Fri, Jun 25, 2010 at 6:44 PM, Eric Peters <eric@linuxsystems.net> wrote:
>
> Thanks Serge, don't think that is going to work for my situation. Little more background on what I'm doing. We are going two factor authentication. Using RSA SecureID, and I'm using RSA's built in Radius server. I have all my servers sucessfuly doing auth via Radius and the PAM mod. I also have all my windoze clients working as well. The last piece in the puzzle is my road warriors, and thought it would be a snap with PPTPD heh.

> Next step; I'm going to purge PPTPD and radiusclient-ng and build from source. Could be something wrong with the packages, and I want to verify that hypothesis by building from source first, before even thinking of tracing down a possible bug. I just don't see many issues relating to my issue.

> Busy weekend so I might not get to it till Monday.
> Cheers,
> Eric
> Sent from my iPhone
> On Jun 25, 2010, at 5:08 PM, Serge van Ginderachter <serge@vanginderachter.be> wrote:

>
>
>
> On 26 June 2010 00:39, Eric Peters <eric@linuxsystems.net> wrote:
>>
>> Anybody have any other*suggestions*I can try?
>

> I have set up OpenVPN with password athentication to Active Directory. I'll paste you my notes on this setup.
> See also # http://www.matthardy.info/2009/configure-openvpn-to-authenticate-against-active-directory-ldap-in-linux/

>
> openvpn.conf file:
>
> plugin /usr/lib/openvpn/openvpn-auth-ldap.so auth-ldap.cfg
>
> auth-ldap.cfg for windows active directory
>
> <LDAP>
> ** * * *# LDAP server URL

> ** * * *URL * * * * * * ldap://zeus.COMPANY.be
> ** * * *# Bind DN (If your LDAP server doesn't support anonymous binds)
> ** * * *BindDN * * * * *"CN=OpenVPN,OU=Service Accounts,DC=COMPANY,DC=be"

> ** * * *# Bind Password
> ** * * *# Password * * *SecretPassword
> ** * * *Password * * ** XXXXXXXXXX
> ** * * *# Network timeout (in seconds)
> ** * * *Timeout * * * * 15
> ** * * *# Enable Start TLS

> ** * * *#TLSEnable * * *yes
> ** * * *TLSEnable * * * no
> </LDAP>
> <Authorization>
> ** * * *# For active directory, I used sAMAccountName to search by username
> ** * * *# I also configured the original search filter to contain the group membership, instead of using the

> ** * * *# RequireGroup directive below
> ** * * *# Base DN
> ** * * *BaseDN * * * * *"OU=Accounts,DC=COMPANY,DC=be"
> ** * * *# User Search Filter
> ** * * *#SearchFilter * "(&(uid=%u)(accountStatus=active))"

> ** * * *SearchFilter * *"(&(sAMAccountName=%u)(memberOf= cn=VPN_Access,OU=Security Groups,OU=Accounts,DC=COMPANY,DC=be))"
> ** * * *# Require Group Membership
> ** * * *RequireGroup * *false

> </Authorization>


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 10:02 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org