OpenVPN LDAP Auth

This document describes the process of Authenticating Users in OpenVPN against LDAP.

How does this extension work?

The extension is a script that is called by the openVPN Server which starts a query towards LDAP asking if the given user is is the specified group and if the server-name/passwords are correct.

• User inserts the LoginData
• OVPNServer calls ovpnldapauth.sh
• the bash script queries the LDAP Server and returns the reply

Prerequisites

• A User to search the Active Directory
• Shell Access to ipFire
• You must enable "Advanced Options" in the Advanced Server-Settings Menu

openvpn-server configuration

#add this line to /var/ipfire/ovpn/scripts/server.local.conf
auth-user-pass-verify /var/ipfire/`ovpnldapauth`.sh via-env

openvpn-client configuration

# add this line to /var/ipfire/ovpn/scripts/client.local.conf
auth-user-pass

OVPN Authentication

#!/bin/bash
searchDN = "DC=contoso,DC=com"
searchUser = "CN=ipfire,OU=users,DC=contoso,DC=com"
searchUserPW = "password"
LDAPHost = "10.0.0.1"

RES=$(echo "$username $password" | /usr/lib/squid/basic_ldap_auth -b "$searchDN" -f "(&(objectClass=person)(sAMAccountName=%s))" -D $searchUser -w $searchUserPW -R -H $LDAPHost

if [ $RES = "OK" ]
then
 exit 0
else
 exit 1
fi

Links

• IPFire Forum - OpenVPN and LDAP