I've succesfully configure openvpn to use the LDAP user and password auth. Here what I've done :
Using openvpn-auth-ldap from http://code.google.com/p/openvpn-auth-ldap/
1) cd /usr/src
2) wget http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-2.0.3.tar.gz
3) apt-get install gobjc re2c dpkg-dev libldap2-dev
4) apt-get source openvpn
5) ./configure --prefix=/usr --with-openvpn=/usr/src/openvpn-2.1~rc7
6) make
7) make install
The configuration file, named /etc/openvpn/ldap-auth-conf contain :
Quote
# BEGIN OF ldap-auth-conf
<LDAP>
URL ldap://localhost
BindDN cn=admin,dc=ebox
Password COPY CONTENT OF /var/lib/ebox/conf/ebox-ldap.passwd here
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=Users,dc=ebox"
# User Search Filter
SearchFilter "uid=%u"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN ou=Groups,dc=ebox
SearchFilter cn=openvpn
#MemberAttribute uniqueMember
MemberAttribute memberUid
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# END OF ldap-auth-conf
<LDAP>
URL ldap://localhost
BindDN cn=admin,dc=ebox
Password COPY CONTENT OF /var/lib/ebox/conf/ebox-ldap.passwd here
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=Users,dc=ebox"
# User Search Filter
SearchFilter "uid=%u"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN ou=Groups,dc=ebox
SearchFilter cn=openvpn
#MemberAttribute uniqueMember
MemberAttribute memberUid
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
# END OF ldap-auth-conf
Test your configuration file :
/usr/src/auth-ldap-2.0.3/src/testplugin /etc/openvpn/ldap-auth-conf
** Use a real ebox username/password, this test should return :
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
If that work add plugin /usr/lib/openvpn-auth-ldap.so /etc/openvpn/ldap-auth-conf at the end of your openvpn server configuration file.
To tell openvpn client to prompt a username/password you need to add auth-user-pass at the end of your clients configuration files.
That will need to be added in the eBox template and an option in the webUI would be appreciated.
Enjoy.
