LDAP and TOTP

[apsandreas]

Hi,

I would like to setup OpenVPN with Authentication against an LDAP (Samba 4 DC) and TOTP.


- I tested successfully with a local created account (following the documentation) -> With success
- I tested successfully with a local account + TOTP (following the documentation) -> With success
- I tested successfully with an LDAP user without OTP -> With success

Just LDAP + TOTP is not working. This is what I did:

- I created a "LDAP + Timebased One Time Password" access server with the exact same ldap settings like the one without that i know worked in previous tests without OTP.

- Now, how to assign an OTP seed? I googled and found this post: https://forum.opnsense.org/index.php?topic=11882.msg66184#msg66184 where is mentioned, that you have to import the users from the LDAP to Opnsense. I did import my test user and assigned him a seed and scanned the QR code.

- I keep trying to test it with the authentication tester - without success. I tried the ldap + otp server (I think this is still what I want). It just won't accept my password + otp

Is my understanding correct, that OPNSense takes the seed from the local account (that was imported from ldap), but still does the authentication against the original LDAP? How does it map the user name ? samaccountname vs local name?

Thx Andreas

[franco]

Hi Andreas,

Assuming TOTP works locally the system times are in sync. Which means there's either a mismatch between the user locally as it would be found on LDAP so the secret that you expect is not selected or there's a TOTP setting that is not where you want it. Check left/right feed.


Cheers,
Franco

[apsandreas]

Hi Franco,

So my assumption is correct, that the local account is matched against the ldap account? That means seed comes from the local account, whereas the authentication will be done against the LDAP?

How can I check whether there is a mismatch between local / remote user? How are they matched? Is there anything I can check on the shell? Or any kind of verbose logging?

regards

Andreas

[apsandreas]

I suppose it has to do with group membership not updating/synchronizing correctly. I got it working by dropping the server and recreating it without the ldap group check.

Then I later came accross another issue:

- I now have an extended query &(memberOf=CN=VpnUsers,CN=Users,DC=my,DC=domain,DC=com)
- Server has group membership sync switched on
- A local group with the same name exists
- LDAP user Import is showing only allowed users -> fine
- LDAP + OTP working ->fine

But I my test user is no longer a member of the group in the AD, he is STILL able to log in successfully.

Is group membership only mapped on the first import from LDAP? When is synchronization supposed to happen?

[franco]

I'm hearing the group thing the first time in this post so I couldn't comment on it earlier assuming the variables for authentication are kept controllable and expanded when working.

I don't know about group membership sync as I don't use it.


Cheers,
Franco

[apsandreas]

I think the issue is the same as described here: https://github.com/opnsense/core/issues/2818#issuecomment-430252059

I think there is a high risk of misconception:

Imagine you are an fw admin:

• You apply a extended search filter for the LDAP query in the authentication server (without TOTP).
• You test it, and it works as expected: Removing the user from the VnpUsers group (in the LDAP) has the consequence that the user can no longer use VPN.

Now you want LDAP + TOTP mode:

• You have to import the user (to assign him a certificate + OTP seed).
• On import you only see users in the VpnUsers ldap group, as expected

When changing to LDAP + TOTP mode, your expectation is that the the extended LDAP query behavior is the same as before.  (there is no obvious reason that it's not the case).

In fact you lost the ability to manage the users in one place by their LDAP group assignments. 

This an unexpected change in behavior which is neither obvious, nor documented!

Nevertheless, now as I know it, i think I can live with it and I am happy to have MFA running with OpenVPN which is way more than I expected.



 

[pilotboy72]

Out of curiosity, if you configure just the LDAP account does that work?

[apsandreas]

Yes, this is what I referred to with

    You apply a extended search filter for the LDAP query in the authentication server (without TOTP).

In this case it was working as expected, when I tested it. Removing the test user from the AD group -> tester fails. Adding him -> Tester passes.