, Johann Schmitz

Having a central place like a LDAP service to manage your company's user accounts and group membership informations is not only a real time-saver but improves your overall security: You can enabled/disable access to services for an user with a single command. So why not use our existing LDAP infrastructure to authenticate and authorize our VPN users?

Since version 2.something OpenVPN supports Authentication via username and password which is a big plus not only for management and maintenance, it increase the acceptance for the end-user too. Generating client certificates can be really cumbersome and communicating the need of protecting the certificates like a password can be really frustrating.

Thanks to the OpenVPN plugin architecture, we can easily hook up external authentication providers to our server. For the LDAP authentication we will use the openvpn-auth-ldap module which is now available in the portage tree as net-misc/openvpn-auth-ldap.

After emerging, we have to make the plugin known to the OpenVPN server. Add something like

plugin /usr/lib/openvpn-auth-ldap.so my-ldap.conf

to your openvpn.conf. This tells the server to load the plugin and to use the information in my-ldap.conf to connect to LDAP. An example configuration file has been installed into /usr/share/doc/openvpn-auth-ldap-2.0.4_pre20131110/auth-ldap.conf.bz2:

cd /etc/openvpn/
bzcat /usr/share/doc/openvpn-auth-ldap-2.0.4_pre20131110/auth-ldap.conf.bz2 > my-ldap.conf

The configuration is pretty straight-forward:

Adjust the values for URL (which should point to your ldap server(s) DNS name). If you use LDAPs, change the url to ldaps://dnsname; if you use STARTTLS, enable TLSEnable and configure the certificates accordingly. You definitely want to enable one of them, otherwise your connection to the ldap server will be unencrypted and the users passwords are sent in cleartext over the wire.

If your server does not support anonymous binds, set the BindDN and Password properties.

The <Authorization> section is used to configure who is allowed to connect via VPN. You want to configure the BaseDN to match the OU where your users are in. I changed the SearchFilter property to

SearchFilter    "(&(uid=%u)(objectClass=posixAccount))"

to allow only real user accounts to log in.

To enable the group membership check set the RequireGroup property to true and adjust the BaseDN to the DN of your groups OU and set SearchFilter to a LDAP filter which matches your group (e.g. (cn=VPN Users)). I had to change the MemberAttribute to memberUid to get this working. Also, make sure that the memberUid attribute for the group contains the full distinguished name of the users (there is a patch for RFC 2307 groups but i haven't checked it).

In the client configuration file, remove the cert and key (but leave ca in there) and add the auth-user-pass option. Your clients should now be able to connect with their username and password.