OpenVPN +PAM Debian

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
DavePI
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 09, 2022 2:03 pm

OpenVPN +PAM Debian

Post by DavePI » Wed May 24, 2023 10:16 am

Hello,
I have installed debian 11 and pam-ldapd. Now, I want to setup authenticating for openvpn with pam. When I wanted to test it with 'getent passwd' command, I got only local users response.

Can you help me please, how to setup it?

My nsswitch is here:

Code: Select all

passwd:         files systemd ldap
group:          files systemd
shadow:         files
gshadow:        files

hosts:          files dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
and my nslcd.conf is here:

Code: Select all

uid nslcd
gid ldap
uri ldap://10.1.4.113/
base dc=example,dc=eu
#binddn cn=vpnbind,ou=MyUsers,dc=test,dc=net
#binddn vpnadmin@example.eu
binddn cn=admin,dc=example,dc=eu
bindpw secret
scope sub

base   group  dc=example,dc=eu
base   passwd dc=example,dc=eu
base   shadow dc=example,dc=eu

bind_timelimit 30
timelimit 30

filter passwd (&(objectClass=user)(memberOf=dc=example,dc=eu))
map    passwd uid              sAMAccountName

filter shadow (&(objectClass=user)(memberOf=example,dc=eu))
map    shadow uid              sAMAccountName


tls_reqcert never

Thanks for any answer

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: OpenVPN +PAM Debian

Post by Fadim » Fri May 26, 2023 12:52 pm

Hello DavePI,

To configure OpenVPN authentication with PAM on Debian 11, you need to follow a few steps. Firstly, ensure that the libpam-ldapd package is installed on your system. Next, review the /etc/nslcd.conf file to verify the LDAP URI, base, binddn, and bindpw settings. These should be accurate and corresponding to your LDAP server.

In your case, it appears that the getent passwd command is returning only local users. To address this, modify the /etc/nsswitch.conf file and remove the ldap option from the passwd line. By doing so, you prioritize LDAP for user lookups.

Once these modifications are made, restart the nslcd service to apply the changes. Following this, OpenVPN should be able to authenticate users using PAM successfully.

Post Reply