Authenticating OpenVPN clients from Active Directory (LDAP)

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.
Locked
Gorkhaan
OpenVPN User
Posts: 11
Joined: Wed Mar 03, 2010 11:28 am

Authenticating OpenVPN clients from Active Directory (LDAP)

Post by Gorkhaan » Sun Jun 02, 2013 3:35 pm

Hello there.

Let me share this quick and dirty howto with you. This setup authenticates users from the AD, using a group, called "OpenVPN Users".

What you need to have:
  • Active Directory or other LDAP solution (OpenLDAP)
  • openvpn-auth-ldap package (so)
  • AD Group
CentOS, RHEL, etc:

Code: Select all

[ec2-user@naboo ~]$ yum search openvpn | grep ldap
openvpn-auth-ldap.x86_64 : OpenVPN plugin for LDAP authentication
openvpn-auth-ldap-debuginfo.x86_64 : Debug information for package
Debian, Ubuntu, etc:

Code: Select all

gorkhaan@kamino:~$ apt-cache search openvpn | grep ldap
openvpn-auth-ldap - OpenVPN LDAP authentication module
Install correspoding package and OpenVPN:
  • yum install openvpn openvpn-auth-ldap.x86_64
  • apt-get install openvpn openvpn-auth-ldap
I have a setup based on Amazon AMI, so I'll go with that.

Files
  • Copy "vpnserver-ldap-auth.conf" to "/etc/openvpn/vpnserver-ldap-auth.conf"

    Code: Select all

    mode server
    tls-server
    port 443
    #local x.x.x.x
    proto tcp
    dev tun
    
    topology subnet 
    
    ca ca.crt
    cert vpnserver.crt
    key vpnserver.key
    dh dh2048.pem
    
    script-security 2
    username-as-common-name
    
    ### PAM AUTH ###
    #auth-user-pass-verify "auth-pam.pl" via-file
    ################
    
    ### LDAP AUTH ###
    plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "ldap-auth.config"
    #################
    
    #tmp-dir "/tmp"
    
    #up "/etc/openvpn/skyvpnserver/tuzfal_all"
    
    server 192.168.222.0 255.255.255.0
    push "route 10.0.0.0 255.255.0.0"
    # push "dhcp-option DNS 192.168.222.1"
    
    
    #push "redirect-gateway def1"
    #push "dhcp-option DNS 8.8.8.8"
    #push "dhcp-option DOMAIN darkhole.hu"
    
    #push "shaper 1310720"
    #shaper 1310720
    
    #port-share x.x.x.x 3128
    
    inactive 600
    tcp-nodelay
    #fast-io 
    
    keepalive 10 120
    comp-lzo
    
    persist-key
    persist-tun
    
    status onlineusers.log 5
    status-version 1
    ifconfig-pool-persist fixip.txt 0
    #management 127.0.0.1 1195 telnet.passwd
    
    verb 3
    mute 10
    reneg-sec 1800
    
  • Copy "ldap-auth.config" to "/etc/openvpn/ldap-auth.config"

    Code: Select all

    <LDAP>
            # LDAP server URL
            URL             ldap://subdomain.domain.ltd:389
    
            # Bind DN (If your LDAP server doesn't support anonymous binds)
            #BindDN         uid=admin,ou=Users,dc=test,dc=com
            BindDN          "CN=MyReadOnlyUser,OU=Service Accounts,DC=subdomain,DC=domain,DC=ltd"
    
            # Bind Password
            Password        "MyReadOnlyUserPassword"
    
            # Network timeout (in seconds)
            Timeout         15
    
            # Enable Start TLS
            TLSEnable       no
    
            # Follow LDAP Referrals (anonymously)
            FollowReferrals no
    
            # TLS CA Certificate File
            TLSCACertFile   /usr/local/etc/ssl/ca.pem
    
            # TLS CA Certificate Directory
            TLSCACertDir    /etc/ssl/certs
    
            # Client Certificate and key
            # If TLS client authentication is required
            TLSCertFile     /usr/local/etc/ssl/client-cert.pem
            TLSKeyFile      /usr/local/etc/ssl/client-key.pem
    
            # Cipher Suite
            # The defaults are usually fine here
            # TLSCipherSuite        ALL:!ADH:@STRENGTH
    </LDAP>
    
    <Authorization>
            # Base DN
            #BaseDN         "CN=Users,DC=test,DC=com"
            BaseDN          "DC=subdomain,DC=domain,DC=ltd"
    
            # User Search Filter
            #SearchFilter   "(&(uid=%u)(accountStatus=active))"
            #SearchFilter   "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"
            SearchFilter    "(&(sAMAccountName=%u))" 
    
            # Require Group Membership
            RequireGroup    true
    
            # Add non-group members to a PF table (disabled)
            #PFTable        ips_vpn_users
    
            <Group>
                    BaseDN          "DC=subdomain,DC=domain,DC=ltd"
                    SearchFilter    "(cn=OpenVPN Users)"
                    MemberAttribute "member"
                    # Add group members to a PF table (disabled)
                    #PFTable        ips_vpn_eng
            </Group>
    </Authorization>
    
    
  • Use these files as a template. Go through on every line and modify it to your needs.
  • Set up iptables masquerading, etc.
Referals:

BertNagy
OpenVpn Newbie
Posts: 1
Joined: Thu Sep 12, 2013 10:23 pm

Re: Authenticating OpenVPN clients from Active Directory (LD

Post by BertNagy » Thu Sep 12, 2013 11:00 pm

Hi!
Unfortunately it cant work for me.
It's maybe an autentication problem.
Here is my openvpn.log:
"Fri Sep 13 00:20:44 2013 us=756184 MULTI: multi_create_instance called
Fri Sep 13 00:20:44 2013 us=756303 92.121.66.124:63867 Re-using SSL/TLS context
Fri Sep 13 00:20:44 2013 us=756331 92.121.66.124:63867 LZO compression initialized
Fri Sep 13 00:20:44 2013 us=756440 92.121.66.124:63867 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 13 00:20:44 2013 us=756461 92.121.66.124:63867 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Sep 13 00:20:44 2013 us=756508 92.121.66.124:63867 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Sep 13 00:20:44 2013 us=756521 92.121.66.124:63867 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Sep 13 00:20:44 2013 us=756544 92.121.66.124:63867 Local Options hash (VER=V4): '530fdded'
Fri Sep 13 00:20:44 2013 us=756563 92.121.66.124:63867 Expected Remote Options hash (VER=V4): '41690919'
RFri Sep 13 00:20:44 2013 us=756611 92.121.66.124:63867 TLS: Initial packet from [AF_INET]92.121.66.124:63867, sid=949bb44a 3fb43aa6
WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRFri Sep 13 00:20:45 2013 us=157241 92.121.66.124:63867 VERIFY OK: depth=1, /C=HU/ST=Hungary/L=Budapest/O=MULTI_ARTIST/CN=srvovpn/emailAddress=rendszergazda@multiartist.hu
Fri Sep 13 00:20:45 2013 us=157574 92.121.66.124:63867 VERIFY OK: depth=0, /C=HU/ST=Hungary/L=Budapest/O=MULTI_ARTIST/CN=ovpnldap/emailAddress=ovpnldap@multiartist.hu
WRWRWRWRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRLDAP bind failed immediately: Can't contact LDAP server
Unable to bind as CN=ovpnldap,OU=Multiartist,DC=dm,DC=local
LDAP connect failed.
Fri Sep 13 00:20:50 2013 us=222344 92.121.66.124:63867 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Sep 13 00:20:50 2013 us=222368 92.121.66.124:63867 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
Fri Sep 13 00:20:50 2013 us=222413 92.121.66.124:63867 TLS Auth Error: Auth Username/Password verification failed for peer
WWWRWRRRFri Sep 13 00:20:50 2013 us=237766 92.121.66.124:63867 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Sep 13 00:20:50 2013 us=237810 92.121.66.124:63867 [ovpnldap] Peer Connection Initiated with [AF_INET]92.121.66.124:63867
RFri Sep 13 00:20:52 2013 us=379108 92.121.66.124:63867 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 13 00:20:52 2013 us=379138 92.121.66.124:63867 Delayed exit in 5 seconds
Fri Sep 13 00:20:52 2013 us=379178 92.121.66.124:63867 SENT CONTROL [ovpnldap]: 'AUTH_FAILED' (status=1)
WWWFri Sep 13 00:20:57 2013 us=425525 92.121.66.124:63867 SIGTERM[soft,delayed-exit] received, client-instance exiting
"

Please help me to find out what's wrong :roll:
My LDAP server is on the same privat network that's a Windows SBS2010.

Thanks.

Eddie2014
OpenVpn Newbie
Posts: 1
Joined: Sat May 10, 2014 1:38 am

Re: Authenticating OpenVPN clients from Active Directory (LD

Post by Eddie2014 » Sat May 10, 2014 1:55 am

Hi! i haven the same problen, you tray with "/etc/ldap/ldap.conf"
=============================================================
# LDAP server URL
URL ldap://ldap1.example.org

changue for:

# LDAP server URL
URL ldap1.example.org:port or ip:port
=============================================================

and in the "etc/openvpn/auth/auth-ldap.conf":

=============================================================
<LDAP>
# LDAP server URL
URL ldap://ip:port

# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN user@domain.local
# Bind Password
Password "yourpass"
==============================================================

and install the pacht: openvpn-auth-ldap 2.0.3-5.1
i used debian 7 for the server!

PD: sorry my english is not god, help from argentina!

Rudi Swennen
OpenVpn Newbie
Posts: 1
Joined: Wed May 28, 2014 8:27 am

Re: Authenticating OpenVPN clients from Active Directory (LD

Post by Rudi Swennen » Wed May 28, 2014 10:10 am

Hello,

I have the same issue. I tested the LDAP connection with Apache Directory studio and the LDAP connection is working, with the same user I configure in my VPN-server.

I get the following error:
May 28 09:59:37 19880735 ovpn-server[18639]: LDAP bind failed immediately: Can't contact LDAP server
May 28 09:59:37 19880735 ovpn-server[18639]: Unable to bind as CN=user,DC=depart,DC=organisation,DC=fr
May 28 09:59:37 19880735 ovpn-server[18639]: LDAP connect failed.

root@server:/etc/openvpn# cat auth-ldap.conf
<LDAP>
URL ldaps://10.10.10.10:636
BindDN CN=user,DC=depart,DC=organisation,DC=fr
Password "ARZT32465TYJH"
TLSEnable no
FollowReferrals no
Timeout 5
</LDAP>
<Authorization>
BaseDN "OU=users,DC=depart,DC=organisation,DC=fr"
SearchFilter "(sAMAccountName=some_real_user)"
RequireGroup false
</Authorization>

Thanks for the help.

Gorkhaan
OpenVPN User
Posts: 11
Joined: Wed Mar 03, 2010 11:28 am

Re: Authenticating OpenVPN clients from Active Directory (LD

Post by Gorkhaan » Tue Oct 07, 2014 2:23 pm

Unfortunately this authentication method is broken. I had to find an alternative. I found this perl script what basically does the same job perfectly after a little ldapsearch filtering magic.

Download script from here: https://github.com/analogrithems/openvpn-auth-ldap-perl

Downside: Plaintext ldap communication. Workaround: firewall it? Set it up with SSL?

Dependencies

Code: Select all

apt-get update
apt-get install libauthen-simple-ldap-perl libconfig-simple-perl
Use this command to test your LDAP Filter

Code: Select all

ldapsearch -LLL  -H ldap://ip.to.ldap.server -x  -D 'MYDOMAIN\BINDDUSER' -w 'BINDDPASSWORD' -E pr=1000/noprompt -b 'dc=mydomain,dc=domain,dc=com' '(&(objectClass=organizationalPerson)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(memberOf=CN=PowaVPNUsers,OU=ServiceObjects,DC=mydomain,DC=domain,DC=com)(sAMAccountName=USERNAMEHERE))'  | less
To see this better
(&
(objectClass=organizationalPerson)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(objectClass=user)
(memberOf=CN=PowaVPNUsers,OU=ServiceObjects,DC=mydomain,DC=domain,DC=com)
(sAMAccountName=%s)
)
How to read this
(person) AND (not(user account is disabled)) AND (userobject) AND (Groupfiltering with memberOf) AND (sAMAccountName is user1)
Example ldap-auth.pl config file

Code: Select all

host = 'ldap.server.ip.here'
basedn = 'DC=mydomain,DC=domain,DC=com'
binddn = 'CN=BINDDUSERNAME,OU=ServiceObjects,DC=mydomain,DC=domain,DC=com'
bindpw = 'BINDDPASSWORD'
port = 389
version = 3
filter = '(&(objectClass=organizationalPerson)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(memberOf=CN=PowaVPNUsers,OU=ServiceObjects,DC=mydomain,DC=domain,DC=com)(sAMAccountName=%s))'
#filter = '(sAMAccountName=%s)'
#scope = 'sub'

Gorkhaan
OpenVPN User
Posts: 11
Joined: Wed Mar 03, 2010 11:28 am

Re: Authenticating OpenVPN clients from Active Directory (LD

Post by Gorkhaan » Wed Oct 08, 2014 2:41 pm

Another solution using a bash script and ldapsearch.

You can extend this setup with SSL capabilities. Basically you need Certificates to achieve this:
http://social.technet.microsoft.com/wik ... icate.aspx

Install required package

Code: Select all

sudo apt-get install ldap-utils
Config option from OpenVPN Server

Code: Select all

### Authentication Setting ###
script-security 2
username-as-common-name
auth-user-pass-verify ldapsearch-auth.sh via-file
ldapsearch-auth.sh
Drop this script next to your server config, then do chmod +x on it. First it binds to AD with a service account. If user is found it tries to bind to AD again with openvpn user and the openvpn user's password to see if the password is correct. If the password is wrong this code snippet checks "if [ $? != 0 ]; then" the previous command's exit status and makes a decision. If ldapsearch could not bind, that means the password is wrong and the script exists with error status 1, denying the login of the given OpenVPN User.

Code: Select all

#!/bin/bash

TMPFILE="${1}" # Temp file from OpenVPN
OPENVPN_USERNAME="`head -n1 ${TMPFILE} | tail -n1`"
OPENVPN_PASSWORD="`head -n2 ${TMPFILE} | tail -n1`"

LDAP_HOST="ldap://mydomain.domain.com:389"
LDAP_DOMAIN="MYDOMAIN"
LDAP_BINDDN="dc=mydomain,dc=domain,dc=com"
LDAP_BINDUSER="${LDAP_DOMAIN}\\ldapreadonly"
LDAP_BINDPASSWORD="ldapreadonlyPASSWORD"
LDAP_SEARCHFILTER="(&(objectClass=organizationalPerson)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(memberOf=CN=VPNUsers,OU=ServiceObjects,DC=mydomain,DC=domain,DC=com)(sAMAccountName=${OPENVPN_USERNAME}))"

LDAP_SAMACCOUNTNAME=`ldapsearch -LLL -H "${LDAP_HOST}" -x -D "${LDAP_BINDUSER}" -w "${LDAP_BINDPASSWORD}" -E pr=1000/noprompt -b "${LDAP_BINDDN}" "${LDAP_SEARCHFILTER}" | grep sAMAccountName | awk -F ":" '{print $2}' | sed -r 's/[[:space:]]//'`
if [ "${LDAP_SAMACCOUNTNAME}" == "" ]; then
        echo "LDAPAUTH: Wrong username or the user got filtered out by searchfilter (disabled account or group membership)"
        exit 1
fi

ldapsearch -LLL -H "${LDAP_HOST}" -x -D "${LDAP_DOMAIN}\\${LDAP_SAMACCOUNTNAME}" -w "${OPENVPN_PASSWORD}" -E pr=1000/noprompt -b "${LDAP_BINDDN}" "${LDAP_SEARCHFILTER}" &> /dev/null
if [ $? != 0 ]; then
        echo "LDAPAUTH: Wrong password for user: ${LDAP_DOMAIN}\\${LDAP_SAMACCOUNTNAME}"
        exit 1
fi

exit 0
Enjoy

harald
OpenVpn Newbie
Posts: 2
Joined: Sat Oct 10, 2015 8:01 pm

Re: Authenticating OpenVPN clients from Active Directory (LD

Post by harald » Sat Oct 10, 2015 8:26 pm

Solution using a python script and StartTLS

I wanted to have a solution that works with StartTLS. I wrote a python script that uses python-ldap. It will also check for required group membership.

A prerequisite for is script to work is that the the supplied credentials of a connecting user can be used connect to the LDAP server from the OpenVPN server (in case that it is a valid user with a valid password). This way, we don't need an LDAP proxy agent user with its username and password supplied in the script for LDAP searching.

Here is the code, just in case that it is useful for anyone. You may need to adapt the LDAP stuff to your individual needs.

Code: Select all

#!/usr/bin/python

# getpass is only needed for testing
import getpass
import ldap
import sys

# Set to True to be asked for username and passwort on command line.
# Good for testing, script run doesn't like it.
test = False 

group = 'vpnusers'

ldap_server = 'ldap://ldap.example.com:389'
cacert = '/usr/local/ldap/cacert.pem'
base_dn = 'dc=example,dc=com'
member_attr = 'memberUid'

ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, cacert)

uid = ''
pw = ''

if test:
  print 'AUTH-SCRIPT: Test mode'
  sys.stdout.write('Username: ')
  uid = sys.stdin.readline().rstrip('\n')
  pw = getpass.getpass('Password: ')
elif len(sys.argv) > 1:
  try:
    cred_file = open(sys.argv[1], 'r')
    uid = cred_file.readline().rstrip('\n')
    pw = cred_file.readline().rstrip('\n')
    cred_file.close()
  except e:
    print 'AUTH-SCRIPT:', e
    sys.exit(1)

uid_dn = 'uid=%s,ou=people,%s' % (uid, base_dn)
group_dn = 'cn=%s,ou=groups,%s' % (group, base_dn)

print 'AUTH-SCRIPT: Attempted login from user: %s' % (uid_dn)

try:
  con = ldap.initialize(ldap_server)
  try: 
    con.start_tls_s()
    con.simple_bind_s(uid_dn, pw)
  except ldap.INVALID_CREDENTIALS:
    print 'AUTH-SCRIPT: Username or password is incorrect.'
    sys.exit(2)
  except ldap.LDAPError, e:
    if type(e.message) == dict and e.message.has_key('desc'):
      print 'AUTH-SCRIPT: %s' % (e.message['desc'])
    else: 
      print e
    sys.exit(3)

  print 'AUTH-SCRIPT: LDAP connection from OpenVPN by: %s' % (con.whoami_s())

  status = 4
  if con.compare_s(group_dn, member_attr, uid):
    print 'AUTH-SCRIPT: User %s is a member of group %s. Granting access.' % (uid, group)
    status = 0
  else:
    print 'AUTH-SCRIPT: User %s is not a member of group %s. Denying access.' % (uid, group)

finally:
  con.unbind()

sys.exit(status)
Install python and python-ldap, put the script to /etc/openvpn, make it executable and append the following to your server conf:

Code: Select all

script-security 2
tmp-dir "/dev/shm"
auth-user-pass-verify openvpn-ldap-auth.py via-file 
client-cert-not-required
Assumed script name is openvpn-ldap-auth.py. If you don't have /dev/shm, put in another temp directory. Best is to have one that is not on-disk.

harald
OpenVpn Newbie
Posts: 2
Joined: Sat Oct 10, 2015 8:01 pm

Re: Authenticating OpenVPN clients from Active Directory (LDAP)

Post by harald » Sun Nov 13, 2016 6:38 pm

Solution using ldapcompare command from ldap-utils package in a Linux shell script

This example works very similar to the python-ldap example above.

Put this code into text file and afterwards chmod +x:

Code: Select all

#!/bin/bash

TEST_MODE=false # Test mode to use script from command line, being prompted for username and password
LDAP_SERVER='ldap.example.com'
BASE_DN='dc=example,dc=com'
MEMBER_ATTR='memberUid'
VPN_GROUP='vpnusers'
CRED_FILE="$1" # Temporary file with credentials (username, password) is passed to script as first argument
MAX_LEN=256 # Maximum length in characters of username and password; longer strings will not be accepted 


uid=''
pw=''

if $TEST_MODE
  then
  echo "Running in test mode"
  read -p "Username: " uid 
  read -s -p "Password: " pw 
  echo
elif ! [ -r "$CRED_FILE" ]
  then
  echo "ERROR: Credentials file '${CRED_FILE}' does not exist or is not readable"
  exit 1
elif [ $(wc -l <"CRED_FILE") -ne 2 ]
  then
  echo "ERROR: Credentials file '${CRED_FILE}' does not exactly how two lines of text"
  exit 2
else
  echo "Reading username and password from credentials file '${CRED_FILE}'"
  uid=$(head -n 1 "$CRED_FILE")
  pw=$(tail -n 1 "$CRED_FILE")
fi

if [ $(echo "$uid" | wc -m) -gt $MAX_LEN ]
  then
  echo "ERROR: Username is longer than $MAX_LEN characters - this is forbidden"
  exit 3
fi 

if [ $(echo "$pw" | wc -m) -gt $MAX_LEN ]
  then
  echo "ERROR: Password is longer than $MAX_LEN characters - this is forbidden"
  exit 4
fi

# ldapcompare argument format:
# ldapcompare [options] DN attr:value
#
# DN = distinguished name to perform comparison on
# attr:value = name of attribute to check : value to check for
#
# Options used:
# -x Use simple authentication instead of SASL.
# -D LDAP reprentation (DN = distinguished name) of the username used for the LDAP connection
# -w Password used for authentication upon connection to LDAP server

echo "Running command: ldapcompare -x -H ldap://${LDAP_SERVER} -D \"uid=${uid},ou=people,${BASE_DN}\" -w \"<SECRET>\" \"cn=${VPN_GROUP},ou=groups,${BASE_DN}\" \"${MEMBER_ATTR}:${uid}\""
RESULT=$(ldapcompare -x -H ldap://${LDAP_SERVER} -D "uid=${uid},ou=people,${BASE_DN}" -w "${pw}" "cn=${VPN_GROUP},ou=groups,${BASE_DN}" "${MEMBER_ATTR}:${uid}")

echo "LDAP compare result: $RESULT"

if [ "$RESULT" = 'TRUE' ]
  then
  echo "User '${uid}' is a member of group '${VPN_GROUP}'"
  exit 0
else
  echo "ERROR: LDAP connection error or user '${uid}' not in group '${VPN_GROUP}'"
  exit 5 
fi
Lines to add to OpenVPN configuration file, assuming that you saved the script as openvpn-ldap-auth.sh in your configuration directory:

Code: Select all

script-security 2
tmp-dir "/dev/shm"
auth-user-pass-verify openvpn-ldap-auth.sh via-file
client-cert-not-required

Locked