oal/README.md

Overview
--------

This is alternative LDAP auth module for openvpn.

Runtime requirements:

* openvpn
* libldap

Build requirements:

* cmake
* openvpn headers
* libldap headers

Installation
------------

    cmake -DCMAKE_BUILD_TYPE=Release .
    make
    make test
    sudo make install

Configuration
-------------

Firstly, you need to create config file for module.
Example config:

    # this is comment
    # server(s) to connect
    bindurls ldap://127.0.0.1 ldaps://172.16.17.1
    # username for binding
    binddn cn=openvpn-auth,dc=example,dc=com
    # password for binding
    bindpass strong-password
    # timeout on bind operation
    bindtimeout 10
    # be more verbose
    debug 0
    # where to search for users
    basedn OU=users,DC=example,DC=com
    # allow only users who match this filter
    userfilter (&(objectClass=inetOrgPerson)(user=%u)(memberOf=CN=openvpn-users,CN=groups,DC=example,DC=com))

...where %u is a placeholder for username.
You may test your config with special tool, named `oal-test`.
This tool takes lines with username and password, separated by space and will say is this pair valid or not.

If everything works fine, you'll can continue.

Next you need to move this config to secure place and make sure that only root can read it.

    mv auth-ldap.conf /etc/openvpn/
    cd /etc/openvpn/
    chmod 600 auth-ldap.conf
    chown root:root auth-ldap.conf

Next, you need load your plugin in openvpn config.
Add this line to actual config:

    plugin /usr/lib/openvpn/openvpn-plugin-auth-ldap.so "/etc/openvpn/auth-ldap.conf"

... and restart oenvpn.

Notes
-----

This project is a replacement for original [openvpn-ldap-auth](https://github.com/threerings/openvpn-auth-ldap),
which written in obj-c and requires half of gnustep as deps.

This project has no goal being 1:1 compatible with original.
Also, some important features still missing (like SSL/TLS encryption).
But it's works, and can save you from installing a bunch of GNUStep bloatware.

If you want some feature or found a bug, please open an issue on github.
* add README 8 years ago			`Overview`
			`--------`

			`This is alternative LDAP auth module for openvpn.`

			`Runtime requirements:`

			`* openvpn`
			`* libldap`

			`Build requirements:`

			`* cmake`
			`* openvpn headers`
			`* libldap headers`

			`Installation`
			`------------`

* update readme 8 years ago			`cmake -DCMAKE_BUILD_TYPE=Release .`
* add README 8 years ago			`make`
			`make test`
			`sudo make install`

			`Configuration`
			`-------------`

			`Firstly, you need to create config file for module.`
			`Example config:`

			`# this is comment`
			`# server(s) to connect`
			`bindurls ldap://127.0.0.1 ldaps://172.16.17.1`
			`# username for binding`
			`binddn cn=openvpn-auth,dc=example,dc=com`
			`# password for binding`
			`bindpass strong-password`
			`# timeout on bind operation`
			`bindtimeout 10`
			`# be more verbose`
			`debug 0`
			`# where to search for users`
			`basedn OU=users,DC=example,DC=com`
			`# allow only users who match this filter`
* update readme 8 years ago			`userfilter (&(objectClass=inetOrgPerson)(user=%u)(memberOf=CN=openvpn-users,CN=groups,DC=example,DC=com))`
* add README 8 years ago
* update readme 8 years ago			`...where %u is a placeholder for username.`
			You may test your config with special tool, named `oal-test`.
			`This tool takes lines with username and password, separated by space and will say is this pair valid or not.`
* add README 8 years ago
* update readme 8 years ago			`If everything works fine, you'll can continue.`

			`Next you need to move this config to secure place and make sure that only root can read it.`

			`mv auth-ldap.conf /etc/openvpn/`
* add README 8 years ago			`cd /etc/openvpn/`
			`chmod 600 auth-ldap.conf`
			`chown root:root auth-ldap.conf`

			`Next, you need load your plugin in openvpn config.`
			`Add this line to actual config:`

* update readme 8 years ago			`plugin /usr/lib/openvpn/openvpn-plugin-auth-ldap.so "/etc/openvpn/auth-ldap.conf"`
* add README 8 years ago
			`... and restart oenvpn.`

			`Notes`
			`-----`

			`This project is a replacement for original [openvpn-ldap-auth](https://github.com/threerings/openvpn-auth-ldap),`
			`which written in obj-c and requires half of gnustep as deps.`

			`This project has no goal being 1:1 compatible with original.`
			`Also, some important features still missing (like SSL/TLS encryption).`
			`But it's works, and can save you from installing a bunch of GNUStep bloatware.`
* update readme 8 years ago
			`If you want some feature or found a bug, please open an issue on github.`