OpenVPN + OTP + LDAP

bueh · 12 August 2025 11:49

II have successfully set up an LDAP authentication for OpenVPN.

searchDN=“CN=Users,DC=dc,DC=org”
searchUser=“CN=Administrator,CN=Users,DC=dc,DC=org”
searchUserPW=“123456789”
LDAPHost=“192.170.1.22”

RES=$(echo “$username $password” | /usr/lib/squid/basic_ldap_auth -b $searchDN -f “(&(sAMAccountName=%s)(objectClass=Person))” -D $searchUser -w $searchUserPW -R -H $LDAPHost)
if [ $RES = “OK” ];
then
exit 0
else
exit 1
fi

But if I now enable the OTP option, enter the token, and then the AD username and password, it always says:

Client Log

Tue Aug 12 13:48:06 2025 TLS: tls_multi_process: initial untrusted session promoted to trusted
Tue Aug 12 13:48:07 2025 MANAGEMENT: >STATE:1754999287,GET_CONFIG,
Tue Aug 12 13:48:07 2025 SENT CONTROL [ipfire.localdomain]: ‘PUSH_REQUEST’ (status=1)
Tue Aug 12 13:48:12 2025 SENT CONTROL [ipfire.localdomain]: ‘PUSH_REQUEST’ (status=1)
Tue Aug 12 13:48:17 2025 SENT CONTROL [ipfire.localdomain]: ‘PUSH_REQUEST’ (status=1)
Tue Aug 12 13:48:22 2025 SENT CONTROL [ipfire.localdomain]: ‘PUSH_REQUEST’ (status=1)
Tue Aug 12 13:48:27 2025 SENT CONTROL [ipfire.localdomain]: ‘PUSH_REQUEST’ (status=1)

Server Log:

13:51:00	openvpnserver[2373]:	62.XXX:52071 SIGUSR1[soft,ping-restart] received, client-instance restarting
13:51:00	openvpnserver[2373]:	62.XXX:52071 [Test2] Inactivity timeout (–ping-restart), restarting
13:49:00	openvpnserver[2373]:	62.XXXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:55	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:50	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:45	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:30	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:25	openvpnserver[2373]:	62XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:21	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:15	openvpnserver[2373]:	62.XXX52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:10	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’
13:48:05	openvpnserver[2373]:	62.XXX:52071 PUSH: Received control message: ‘PUSH_REQUEST’

Does anyone have an idea? Do I need to set another parameter?

bonnietwin · 13 August 2025 08:47

Hallo @bueh

Welcome to the IPFire community.

The language uaed for this forum is English.

See the forum FAQ end of the section labelled Improve the discussion.

https://community.ipfire.org/faq

If English is not a language that you speak then please use one of the online translation applications such as
https://www.deepl.com

bueh · 13 August 2025 09:36

Sorry, I have adjusted the post.

bueh · 13 August 2025 12:13

After I entered the Authenticator token, it immediately jumps into the ovpnldapauth.sh and takes the username and password from the Authenticator. If I read the log correctly, it should only jump into the ovpnldapauth.sh file after the second dialog with the username and password has been confirmed.

bonnietwin · 13 August 2025 13:09

That script was created back in 2015 with a few updates since then.
I think a good person to potentially help with your problem would be @ummeegge, who originally created that script.

bueh · 13 August 2025 13:12

Thank you for the response. I will contact Erik.

bonnietwin · 13 August 2025 13:24

I put his name in the message so that he will get notified that he was referenced and will then respond back in this post thread.