This document describes the process of Authenticating Users in OpenVPN against LDAP.
How does this extension work?
The extension is a script that is called by the openVPN Server which starts a query towards LDAP asking if the given user is is the specified group and if the server-name/passwords are correct.
- User inserts the LoginData
- OVPNServer calls ovpnldapauth.sh
- the bash script queries the LDAP Server and returns the reply
Prerequisites
- A User to search the Active Directory
- Shell Access to ipFire
- You must enable "Advanced Options" in the Advanced Server-Settings Menu
openvpn-server configuration
#add this line to /var/ipfire/ovpn/scripts/server.local.conf
auth-user-pass-verify /var/ipfire/`ovpnldapauth`.sh via-env
openvpn-client configuration
# add this line to /var/ipfire/ovpn/scripts/client.local.conf
auth-user-pass
OVPN Authentication
#!/bin/bash
searchDN = "DC=contoso,DC=com"
searchUser = "CN=ipfire,OU=users,DC=contoso,DC=com"
searchUserPW = "password"
LDAPHost = "10.0.0.1"
RES=$(echo "$username $password" | /usr/lib/squid/basic_ldap_auth -b "$searchDN" -f "(&(objectClass=person)(sAMAccountName=%s))" -D $searchUser -w $searchUserPW -R -H $LDAPHost
if [ $RES = "OK" ]
then
exit 0
else
exit 1
fi