Example Configuration
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
Can you tell me where is the "accountStatus=active" defined? Which LDAP schema?
"accountStatus=active" would be an account enabled/disabled flag, doesn't have to come from a schema. bypass: SearchFilter? "(uid=%u)"
Is there a way to auth on several BaseDN ? I've tried to add 2 <Authorization> blocks but only the last is used. Regards
Some working values for Windows Active Directory, used with Ubuntu 8.04 x86_64 to W2K3? AD:
<LDAP> section, set these:
<Authorization> section:
after much guesswork, I finally figured out that URL ldap://xx.xx.xx.xx,yy.yy.yy.yy allows you to set use redundant ldap servers. Could you add this to the documentation or point me to where it's already documented?
thanks!
Yes, please do tell us about redundant ldap servers. that's boots up the scalability of the system and of course provides redundancy.
i would like to say thanks for your plugin :). v
Anybody had any luck outside of authenticating off of the user alone on Zimbra 6.0's LDAP schema?
I'd like to use zimbraAccountStatus at a minimum, if possible. Groups would be good too.
I've also attempted to add a group search with zimbra's posix user addition. The basedn on that would be ou=groups,dc=example,dc=com. I tried (cn=vpnusers) for the search filter and got no love.
Straight authenticating with (uid=%u) works fine though :)
Would there be a way to get the client cert to authenticate against LDAP? I'm not sure how this would work. I'm looking for an X.509 authentication against LDAP. Specifically, I want my client to be able to use the pkcs11 module which (as I understand it) authenticates using the TLS client certificate/key to OpenVPN. It seems the next step would have to take this authentication and pass it through to the LDAP server and try to bind with those credentials.
Would this be feasible to patch in? (I'm willing to try, thought my Obj-C experience is limited. Might be sloppy)
thank you for your ldap plugin for openvpn, I have test in CentOS and Ubuntu and runing well.
http://www.howtoforge.com/setting-up-an-openvpn-server-with-authentication-against-openldap-on-ubuntu-10.04-lts
http://www.howtoforge.com/using-iredmail-and-openvpn-for-virtual-email-hosting-and-vpn-services-centos-5.4
Hello!
I just cant get it to work, i get: LDAP user "test" was not found. on messages logs, but if I test it from command line it works: ldapsearch -H ldap://localhost -x -b 'ou=Group,dc=example,dc=com' '(&(uid=test))'
I am using Jimmy.kirk's exact configuration, but it just doesn't work.
Can someone share their working openvpn conf file and client conf file? Just fui, I am not using tls.
Regards, ocon
something is buggy. when i give the whole path, i mean all OUs, then user can be authenticated, but if i stop at a higher OU, then it try to auth with another users CN :S
eg.: OU=SECRETARY,OU=USERS,OU=HQ,DC=EXAMPLE,DC=LOCAL then i get authenticated :) BUT OU=USERS,OU=HQ,DC=EXAMPLE,DC=LOCAL will fail, because its try to auth another user from another OU in USERS.
Good afternoon!
Can't connect with AD on Windows Server 2008. Any ideas? Example before not working...
Please, could you explain how to setup redundant ldap servers?
there should be a switch whether "MemberAttribute?" contains whole DN's or just UIDs (eg. posixGroup based on groupOfNames used by libnss_ldap contains only user names in memberUid attribute, not whole DNs). So you cannot use RequireGroup? feature - it will look for memberUid="uid=XXX,ou=YYY,dn=ZZZ" instead of just memberUid=XXX...
Hi,
I have a problem with account with dot inside. From example when I try to check plugin configuration and put username: piotr everything works ok:
./testplugin /usr/local/etc/openvpn/auth/auth-ldap.conf Username: piotr Password: Authorization Succeed! client-connect succeed! client-disconnect succeed!
, but when I put username with dot inside: piotr.xyz (user exist in LDAP and is member of vpnUsers) the plugin show:
./testplugin /usr/local/etc/openvpn/auth/auth-ldap.conf Username: piotr.xyz Password: LDAP user "piotr.xyz" was not found. Authorization Failed! LDAP user "piotr.xyz" was not found. client-connect failed! LDAP user "piotr.xyz" was not found. client-disconnect failed!
My auth section config:
<Authorization>
</Authorization>Anybody can help me? :)
I'm having the same problem as described by maciej above, I want to use a posixGroup for auth but it would not work because of the wrong format. Any solutions for this? Sad i can't use group requirements, everything else works perfectly.
i solved it using this patch: http://code.google.com/p/openvpn-auth-ldap/issues/attachmentText?id=7&aid=7717265956301289367&name=auth-ldap-rfc2307.patch&token=698f35acaa20bc9b30159fdec7e2e915
thanks all
The config files is very good.but I have a question,The auth-ldap.conf file SASL can support the connection? Because I do not want to use a simple connection, do not want to use TLS. thank you
Add: My environment is connected MS AD, so I do not have to apply for a certificate.
HELLO,my means is when the LDAP SERVER is AD(TLS connect),the openvpn-auth-ldap.conf file's configure.Thank You!!!
Hello, My LDAP server is openldap with SSL(port 636). I found it reject me. should I use the following setting?
URL ldaps://1.2.3.4:636 TLSEnable no
Hi,
I would like to know how to set a particular group to allow to authentication from OpenLDAP for OpenVPN. Below is my ldap-auth-config
<LDAP> # LDAP server URL URL ldap://xx.xx.xx.xx # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN cn=admin,dc=office,dc=local # Bind Password Password myofficeldap # Network timeout (in seconds) Timeout 15 TLSEnable no </LDAP> <Authorization> # Base DN BaseDN "ou=people,dc=office,dc=local" # User Search Filter SearchFilter "(&(uid=%u))" # Require Group Membership RequireGroup true <Group> BaseDN "ou=groups,dc=office,dc=local" SearchFilter "(|(cn=vpnusers))" MemberAttribute uniqueMember </Group> </Authorization>The group that I would like to get authenticated is "cn=vpnusers,ou=groups,dc=office,dc=local" Everything is working fine, OpenVPN is working fine without group restriction, as soon as I open group restriction, it starts giving me this error
Hello all,
I read about this plugin and tried but does not working. What I am trying to do is install/setup openvpn server on redhat 6 then allow user to access this vpn server and authenticate against ldap server. my ldap server is openldap. Can someone have openvpn with ldap-auth working ? could you please share ?
Thanks.
K
Hello all, is there a possibility to add more that one <Group></Group> block ? If the user is in one group the add it to a table, if is in another group add it in another table. Is this possible ?