Problems authenticating openvpn users via openldap
Posted: Tue Oct 11, 2011 4:14 am
I am an openvpn newb. I installed openvpn and openldap and want our users to authenticate against active directory in order to gain access to the VPN. I am attempting to replace our cisco vpn concentrator which is out of warranty and has become unreliable. I will include my configs and errors that I am encountering. If anyone is willing to take a look and offer some direction it would be much appreciated.
I am using phpldapadmin to test the authentication piece and am getting an error, it's reporting that it cannot contact the DC. I would like to start here and once I can get this working, move on to other errors that may exist in my configs. Thank you for taking a look!
contents of auth-ldap.conf
root@vpn:/etc/openvpn/auth# cat auth-ldap.conf
<LDAP>
# LDAP server URL
URL ldap://172.16.1.70
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN cn=vpnauth,ou=users,dc=mydomain,dc=local
# Bind Password
# Password SecretPassword
Password <secret>
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /etc/openvpn/dh1024.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/openvpn
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /etc/openvpn/easy-rsa/keys/ca.pem
TLSKeyFile /etc/openvpn/easy-rsa/keys/dh1024.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "dc=mydomain,dc=local"
# User Search Filter
SearchFilter "(accountStatus=active)"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=_FPU_Groups,dc=mydomain,dc=local"
SearchFilter "(|(cn=_VPN))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
I am using phpldapadmin to test the authentication piece and am getting an error, it's reporting that it cannot contact the DC. I would like to start here and once I can get this working, move on to other errors that may exist in my configs. Thank you for taking a look!
contents of auth-ldap.conf
root@vpn:/etc/openvpn/auth# cat auth-ldap.conf
<LDAP>
# LDAP server URL
URL ldap://172.16.1.70
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN cn=vpnauth,ou=users,dc=mydomain,dc=local
# Bind Password
# Password SecretPassword
Password <secret>
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /etc/openvpn/dh1024.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/openvpn
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /etc/openvpn/easy-rsa/keys/ca.pem
TLSKeyFile /etc/openvpn/easy-rsa/keys/dh1024.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "dc=mydomain,dc=local"
# User Search Filter
SearchFilter "(accountStatus=active)"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=_FPU_Groups,dc=mydomain,dc=local"
SearchFilter "(|(cn=_VPN))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>