I've succesfully configure openvpn to use the LDAP user and password auth. Here what I've done :
Using openvpn-auth-ldap from http://code.google.com/p/openvpn-auth-ldap/
1) cd /usr/src
2) wget http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-2.0.3.tar.gz
3) apt-get install gobjc re2c dpkg-dev libldap2-dev
4) apt-get source openvpn
5) ./configure --prefix=/usr --with-openvpn=/usr/src/openvpn-2.1~rc7
6) make
7) make install
The configuration file, named /etc/openvpn/ldap-auth-conf contain :
Quote
# BEGIN OF ldap-auth-conf
<LDAP>
URL ldap://localhost
BindDN cn=admin,dc=ebox
Password COPY CONTENT OF /var/lib/ebox/conf/ebox-ldap.passwd here
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=Users,dc=ebox"
# User Search Filter
SearchFilter "uid=%u"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN ou=Groups,dc=ebox
SearchFilter cn=openvpn
#MemberAttribute uniqueMember
MemberAttribute memberUid
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# END OF ldap-auth-conf
<LDAP>
URL ldap://localhost
BindDN cn=admin,dc=ebox
Password COPY CONTENT OF /var/lib/ebox/conf/ebox-ldap.passwd here
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=Users,dc=ebox"
# User Search Filter
SearchFilter "uid=%u"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN ou=Groups,dc=ebox
SearchFilter cn=openvpn
#MemberAttribute uniqueMember
MemberAttribute memberUid
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# END OF ldap-auth-conf
Test your configuration file :
/usr/src/auth-ldap-2.0.3/src/testplugin /etc/openvpn/ldap-auth-conf
** Use a real ebox username/password, this test should return :
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
If that work add plugin /usr/lib/openvpn-auth-ldap.so /etc/openvpn/ldap-auth-conf at the end of your openvpn server configuration file.
To tell openvpn client to prompt a username/password you need to add auth-user-pass at the end of your clients configuration files.
That will need to be added in the eBox template and an option in the webUI would be appreciated.
Enjoy.
No comments:
Post a Comment