跳到主要内容

openvpn对接ldap

1.安装 openvpn ldap认证插件

yum -y install openvpn-auth-ldap

2.修改 openvpn ldap认证文件

修改 /etc/openvpn/auth/ldap.conf

<LDAP>
URL ldap://xxx:389  # 指定ldap server地址以及端口
BindDN "cn=xxx,dc=xxx,dc=com"   # 指定binddn信息即管理员信息
Password "xxx"            # 指定管理员密码
Timeout 15   # 设置网络超时时间
TLSEnable no # 是否使用TLS
FollowReferrals yes
</LDAP>
<Authorization>
BaseDN "dc=xxx,dc=com"   # 指定base dn 域
SearchFilter "uid=%u"    # 指定搜索条件,此处若使用cn作为用户名,则不用修改,默认为 (&(uid=%u)(accountStatus=active)) ,但是不好使,原因未知
RequireGroup false
</Authorization>

/etc/openvpn/auth/ldap.conf 默认内容如下

<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org

# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com

# Bind Password
# Password SecretPassword

# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable yes

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"

# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"

# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>

3.修改 openvpn 配置文件

修改 /etc/openvpn/server/server.conf 新增如下两行

# 指定ldap认证插件地址,此处操作系统为64位。并指定auth ldap认证配置文件位置。
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf %u"

# 设置客户端可以不用通过证书认证,输入ldap中用户名和密码即可实现认证。
client-cert-not-required

4.修改openvpn客户端文件

修改 client.ovpn (此文件为安装openvpn时指定的以 ovpn 结尾的文件)

;cert xxx.crt                                  # 客户端证书,因使用ldap认证,所以注释
;key xxx.key # 客户端密钥,因使用ldap认证,所以注释
auth-user-pass # 开启用户名密码认证
Right Bottom Gif
Right Top GIF