LDAP or certificate authentication

How to customize and extend your OpenVPN installation.
Post Reply
Yacudzer
OpenVPN User
Posts: 24
Joined: Tue Apr 28, 2020 8:55 pm

LDAP or certificate authentication

Post by Yacudzer » Wed Sep 02, 2020 3:39 pm

I tried to add LDAP authentication using module openvpn-auth-ldap and I see some troubles:
  • this LDAP module cannot work correctry using SSL (ldaps);
  • if I add module openvpn-auth-ldap, I cannot to use certificate authentication;
I need to make next configuration of my server:
  • using certificate for authentication;
  • if no certificate - check login and passoword using LDAPs;
  • if no login and password - reject with authentication.
I would to ask - should I create a script or can it be implemented using standard method??

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: LDAP or certificate authentication

Post by TinCanTech » Wed Sep 02, 2020 7:04 pm

Yacudzer wrote:
Wed Sep 02, 2020 3:39 pm
should I create a script or can it be implemented using standard method??
There are options which get you part way there.

See the manual for --client-cert-not-required and --auth-user-pass-optional

Your script will ultimately have to be the arbiter ..

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7790
Joined: Fri Jun 03, 2016 1:17 pm

Re: LDAP or certificate authentication

Post by TinCanTech » Thu Sep 03, 2020 12:26 am

Also, EasyTLS could provide you the security barrier which you seek:
https://github.com/TinCanTech/easy-tls

Yacudzer
OpenVPN User
Posts: 24
Joined: Tue Apr 28, 2020 8:55 pm

Re: LDAP or certificate authentication

Post by Yacudzer » Thu Sep 03, 2020 5:57 am

TinCanTech wrote:
Wed Sep 02, 2020 7:04 pm
Yacudzer wrote:
Wed Sep 02, 2020 3:39 pm
should I create a script or can it be implemented using standard method??
There are options which get you part way there.

See the manual for --client-cert-not-required and --auth-user-pass-optional

Your script will ultimately have to be the arbiter ..
I understanding that such task cannot be solved without a script?

And I read that using option --verify-client-cert better than --client-cert-not-required, isnt it?
And with wich option I must to start verification script?
Thanks!

Post Reply