You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Alex 'AdUser' Z 8eb7b6de2e * add README 8 years ago
src * fix check for message type 9 years ago
tests * add 'debug' keyword 9 years ago
CMakeLists.txt * add linking with 'ldap' library 9 years ago
README.md * add README 8 years ago

README.md

Overview

This is alternative LDAP auth module for openvpn.

Runtime requirements:

  • openvpn
  • libldap

Build requirements:

  • cmake
  • openvpn headers
  • libldap headers

Installation

cmake -DCMAKE_BUILD_TYPE=Release
make
make test
sudo make install

Configuration

Firstly, you need to create config file for module. Example config:

# this is comment
# server(s) to connect
bindurls ldap://127.0.0.1 ldaps://172.16.17.1
# username for binding
binddn cn=openvpn-auth,dc=example,dc=com
# password for binding
bindpass strong-password
# timeout on bind operation
bindtimeout 10
# be more verbose
debug 0
# where to search for users
basedn OU=users,DC=example,DC=com
# allow only users who match this filter
userfilter (&(objectClass=inetOrgPerson)(user=%s)(memberOf=CN=openvpn-users,CN=groups,DC=example,DC=com))

Then, you need move this config to secure place and make sure that only root can read it.

install -m 0600 -o root -g root auth-ldap.conf /etc/openvpn/
cd /etc/openvpn/
chmod 600 auth-ldap.conf
chown root:root auth-ldap.conf

Next, you need load your plugin in openvpn config. Add this line to actual config:

plugin /usr/lib/openvpn/oal.so "/etc/openvpn/auth-ldap.conf"

... and restart oenvpn.

Notes

This project is a replacement for original openvpn-ldap-auth, which written in obj-c and requires half of gnustep as deps.

This project has no goal being 1:1 compatible with original. Also, some important features still missing (like SSL/TLS encryption). But it's works, and can save you from installing a bunch of GNUStep bloatware.