You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Alex 'AdUser' Z f5bf3a2fa4 * install test util 8 years ago
src * install test util 8 years ago
tests * add 'debug' keyword 9 years ago
CMakeLists.txt * use GNUInstallDirs in cmake 8 years ago
LICENSE * apply license terms 8 years ago
README.md * tune readme 8 years ago

README.md

Overview

This is alternative LDAP auth module for openvpn.

Runtime requirements:

  • openvpn
  • libldap

Build requirements:

  • cmake
  • openvpn headers
  • libldap headers

Installation

cmake -DCMAKE_BUILD_TYPE=Release .
make
make test
sudo make install

Configuration

Firstly, you need to create config file for module. Example config:

# this is comment
# server(s) to connect
bindurls ldap://127.0.0.1 ldaps://172.16.17.1
# username for binding
binddn cn=openvpn-auth,dc=example,dc=com
# password for binding
bindpass strong-password
# timeout on bind operation
bindtimeout 10
# be more verbose
debug 0
# where to search for users
basedn OU=users,DC=example,DC=com
# allow only users who match this filter
userfilter (&(objectClass=inetOrgPerson)(user=%u)(memberOf=CN=openvpn-users,CN=groups,DC=example,DC=com))

...where %u is a placeholder for username. You may test your config with special tool, named oal-test. This tool takes line with username and password separated by space(s) and says is auth successfull or not.

If everything works fine, you'll can continue.

Next you need to move this config to secure place and make sure that only root can read it.

mv auth-ldap.conf /etc/openvpn/
cd /etc/openvpn/
chmod 600 auth-ldap.conf
chown root:root auth-ldap.conf

Next, you need load your plugin in openvpn config. Add this line to actual config:

plugin /usr/lib/openvpn/openvpn-plugin-auth-ldap.so "/etc/openvpn/auth-ldap.conf"

... and restart oenvpn.

Notes

This project is a replacement for original openvpn-ldap-auth, which written in obj-c and requires half of gnustep as deps.

This project has no goal being 1:1 compatible with original. Also, some important features still missing (like SSL/TLS encryption). But it's works, and can save you from installing a bunch of GNUStep bloatware.

If you want some feature or found a bug, please open an issue on github.