Configure OpenVPN to authenticate against Active Directory (LDAP) in Linux
I recently had to setup OpenVPN server setup on Linux (Ubuntu 9.04) to authenticate against Active Directory via LDAP. This assumes I already had the OpenVPN server setup and generating keys properly. All I added was the LDAP Authentication with Active Directory.
First, download and extract the openvpn-auth-ldap package from:
http://code.google.com/p/openvpn-auth-ldap/
/tmp$ wget http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-2.0.3.tar.gz
/tmp$ tar xvfz auth-ldap-2.0.3.tar.gz
….
Then follow the instructions on compiling (note for this you will need to have installed the appropriate compilers for your system. e.g. $ sudo apt-get install build-essential)
To configure, there are a few pre-requiesites:
- You’ll need to install re2c from sourcefourge:
http://sourceforge.net/projects/re2c/files/re2c/0.13.5/re2c-0.13.5.tar.gz/download
$ wget http://sourceforge.net/projects/re2c/files/re2c/0.13.5/re2c-0.13.5.tar.gz/download
$ tar xvfz re2c-0.13.5.tar.gz
$ cd re2c-0.13.5.tar.gz
$ ./configure
$ make
$ sudo make install
- You’ll also need to install OpenLDAP from:
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.19.tgz
$ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.19.tgz
$ tar xvfz openldap-2.4.19.tgz
$ ./configure –disable-bdb –disable-hdb
Need to add disable bdb/hdb flags so it doesn’t try to install the backend databases
$ make depend
$ sudo make install
Now wait for OpenLDAP to build and install
- You’ll need the OpenVPN src files. In my case I’m using Ubuntu, so I went to the /src directory, and downloaded/unpacked them there.
$ cd /src
$ sudo mkdir openvpn
$ cd openvpn
$ sudo apt-get source openvpn
$ tar xvfz openvpn_2.1~rc11.orig.tar.gz
Now, on to installing the auth-ldap plugin. The first thing I noticed when trying to ./configure was that it was giving me an error about the “Objective C preprocessor /lib/cpp”. To get around this, I had to install the gobjc package, which wasn’t included in build-essential
After this is installed, you can configure the code for your environment:
$ ./configure –prefix=/usr/local –with-openldap=/usr/local –with-openvpn=/src/openvpn/openvpn-2.1_rc11
This should exit displaying what files have been created, with no error messages.
If that worked properly, you can now build the plugin
$ make
This should exit with no errors, and you should now have the openvpn-auth-ldap.so file in your src directory.
Now, install to the lib folder
$ sudo make install
This will copy the plugin to the /usr/local/lib directory
The next step is to configure your LDAP bind and search strings. I edited the sample auth-ldap.conf file to work with my Active Directory scenario. Here’s a sample:
<LDAP>
# LDAP server URL
URL ldap://dc.server.local# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN “cn=testuser,ou=Users,dc=server,dc=local”# Bind Password
Password testpassword# Network timeout (in seconds)
Timeout 30TLSEnable no
FollowReferrals yes
</LDAP><Authorization>
# where to start search
BaseDN “ou=Users,dc=server,dc=local”# For active directory, I used sAMAccountName to search by username
# I also configured the original search filter to contain the group membership, instead of using the
# RequireGroup directive below
SearchFilter “(&(sAMAccountName=%u)(memberOf= CN=testGroup,OU=Users,DC=server,DC=Local))”# Require Group Membership
RequireGroup false
</Authorization>
Then, I copied this file to /etc/openvpn/auth-ldap.cfg
NOTE: Don’t save in openvpn folder with .conf extension, or openvpn will try to load that directly!
To test your auth-ldap config against Active Directory, you can use testplugin tool included with the auth-ldap plugin:
/tmp/auth-ldap-2.0.3/src$ ./testplugin /etc/openvpn/auth-ldap.cfg
Username: user
Password:
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
If everything works ok, you can then add to openvpn. In your openvpn config, add the line:
plugin /usr/local/lib/openvpn-auth-ldap.so auth-ldap.cfg
And Restart openvpn
sudo /etc/init.d/openvpn restart
* Stopping virtual private network daemon(s)… * Stopping VPN ’server’ [ OK ]
* Starting virtual private network daemon(s)… * Autostarting VPN ’server’ [ OK ]
Now, the server should be good to go.
Next step, the client. Here’s a client config I used:
client
auth-user-pass
dev tun
proto udp
remote vpn.server.com 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobodypersist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Now, try to connect with incorrect user:
* Starting virtual private network daemon(s)…
* Autostarting VPN ‘client’
Enter Auth Username:wrong
Enter Auth Password:
[ OK ]
user@user-laptop:/etc/openvpn$ egrep AUTH /var/log/daemon.log
Oct 29 14:08:54 user-laptop ovpn-client[7728]: AUTH: Received AUTH_FAILED control message
Try again with correct user:
* Starting virtual private network daemon(s)…
* Autostarting VPN ‘client’
Enter Auth Username:user
Enter Auth Password:
[ OK ]
Voila! Worked…