Having a central place like a LDAP service to manage your company's user accounts and group membership informations is not only a real time-saver but improves your overall security: You can enabled/disable access to services for an user with a single command. So why not use our existing LDAP infrastructure to authenticate and authorize our VPN users?
Since version 2.something OpenVPN supports Authentication via username and password which is a big plus not only for management and maintenance, it increase the acceptance for the end-user too. Generating client certificates can be really cumbersome and communicating the need of protecting the certificates like a password can be really frustrating.
Thanks to the OpenVPN plugin architecture, we can easily hook up external authentication providers to our server. For the LDAP authentication we will use the openvpn-auth-ldap module which is now available in the portage tree as net-misc/openvpn-auth-ldap.
After emerging, we have to make the plugin known to the OpenVPN server. Add something like
plugin /usr/lib/openvpn-auth-ldap.so my-ldap.conf
openvpn.conf. This tells the server to load the plugin and to use the information in
my-ldap.conf to connect to LDAP. An example configuration file has been installed into /usr/share/doc/openvpn-auth-ldap-2.0.4_pre20131110/auth-ldap.conf.bz2:
cd /etc/openvpn/ bzcat /usr/share/doc/openvpn-auth-ldap-2.0.4_pre20131110/auth-ldap.conf.bz2 > my-ldap.conf
The configuration is pretty straight-forward:
Adjust the values for
URL (which should point to your ldap server(s) DNS name). If you use LDAPs, change the url to ldaps://dnsname; if you use STARTTLS, enable
TLSEnable and configure the certificates accordingly. You definitely want to enable one of them, otherwise your connection to the ldap server will be unencrypted and the users passwords are sent in cleartext over the wire.
If your server does not support anonymous binds, set the
<Authorization> section is used to configure who is allowed to connect via VPN. You want to configure the
BaseDN to match the OU where your users are in. I changed the
SearchFilter property to
to allow only real user accounts to log in.
To enable the group membership check set the
RequireGroup property to
true and adjust the
BaseDN to the DN of your groups OU and set
SearchFilter to a LDAP filter which matches your group (e.g.
(cn=VPN Users)). I had to change the
memberUid to get this working. Also, make sure that the memberUid attribute for the group contains the full distinguished name of the users (there is a patch for RFC 2307 groups but i haven't checked it).
In the client configuration file, remove the
key (but leave
ca in there) and add the
auth-user-pass option. Your clients should now be able to connect with their username and password.