Configure OpenVPN to authenticate against Active Directory (LDAP) in Linux
I recently had to setup OpenVPN server setup on Linux (Ubuntu 9.04) to authenticate against Active Directory via LDAP. This assumes I already had the OpenVPN server setup and generating keys properly. All I added was the LDAP Authentication with Active Directory.
First, download and extract the openvpn-auth-ldap package from:
http://code.google.com/p/openvpn-auth-ldap/
/tmp$ wget http://openvpn-auth-ldap.googlecode.com/files/auth-ldap-2.0.3.tar.gz
/tmp$ tar xvfz auth-ldap-2.0.3.tar.gz
….
Then follow the instructions on compiling (note for this you will need to have installed the appropriate compilers for your system. e.g. $ sudo apt-get install build-essential)
To configure, there are a few pre-requiesites:
- You’ll need to install re2c from sourcefourge:
http://sourceforge.net/projects/re2c/files/re2c/0.13.5/re2c-0.13.5.tar.gz/download
$ wget http://sourceforge.net/projects/re2c/files/re2c/0.13.5/re2c-0.13.5.tar.gz/download
$ tar xvfz re2c-0.13.5.tar.gz
$ cd re2c-0.13.5.tar.gz
$ ./configure
$ make
$ sudo make install
- You’ll also need to install OpenLDAP from:
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.19.tgz
$ wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.19.tgz
$ tar xvfz openldap-2.4.19.tgz
$ ./configure –disable-bdb –disable-hdb
Need to add disable bdb/hdb flags so it doesn’t try to install the backend databases
$ make depend
$ sudo make install
Now wait for OpenLDAP to build and install
- You’ll need the OpenVPN src files. In my case I’m using Ubuntu, so I went to the /src directory, and downloaded/unpacked them there.
$ cd /src
$ sudo mkdir openvpn
$ cd openvpn
$ sudo apt-get source openvpn
$ tar xvfz openvpn_2.1~rc11.orig.tar.gz
Now, on to installing the auth-ldap plugin. The first thing I noticed when trying to ./configure was that it was giving me an error about the “Objective C preprocessor /lib/cpp”. To get around this, I had to install the gobjc package, which wasn’t included in build-essential
After this is installed, you can configure the code for your environment:
$ ./configure –prefix=/usr/local –with-openldap=/usr/local –with-openvpn=/src/openvpn/openvpn-2.1_rc11
This should exit displaying what files have been created, with no error messages.
If that worked properly, you can now build the plugin
$ make
This should exit with no errors, and you should now have the openvpn-auth-ldap.so file in your src directory.
Now, install to the lib folder
$ sudo make install
This will copy the plugin to the /usr/local/lib directory
The next step is to configure your LDAP bind and search strings. I edited the sample auth-ldap.conf file to work with my Active Directory scenario. Here’s a sample:
<LDAP>
# LDAP server URL
URL ldap://dc.server.local# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN “cn=testuser,ou=Users,dc=server,dc=local”# Bind Password
Password testpassword# Network timeout (in seconds)
Timeout 30TLSEnable no
FollowReferrals yes
</LDAP><Authorization>
# where to start search
BaseDN “ou=Users,dc=server,dc=local”# For active directory, I used sAMAccountName to search by username
# I also configured the original search filter to contain the group membership, instead of using the
# RequireGroup directive below
SearchFilter “(&(sAMAccountName=%u)(memberOf= CN=testGroup,OU=Users,DC=server,DC=Local))”# Require Group Membership
RequireGroup false
</Authorization>
Then, I copied this file to /etc/openvpn/auth-ldap.cfg
NOTE: Don’t save in openvpn folder with .conf extension, or openvpn will try to load that directly!
To test your auth-ldap config against Active Directory, you can use testplugin tool included with the auth-ldap plugin:
/tmp/auth-ldap-2.0.3/src$ ./testplugin /etc/openvpn/auth-ldap.cfg
Username: user
Password:
Authorization Succeed!
client-connect succeed!
client-disconnect succeed!
If everything works ok, you can then add to openvpn. In your openvpn config, add the line:
plugin /usr/local/lib/openvpn-auth-ldap.so auth-ldap.cfg
And Restart openvpn
sudo /etc/init.d/openvpn restart
* Stopping virtual private network daemon(s)… * Stopping VPN ’server’ [ OK ]
* Starting virtual private network daemon(s)… * Autostarting VPN ’server’ [ OK ]
Now, the server should be good to go.
Next step, the client. Here’s a client config I used:
client
auth-user-pass
dev tun
proto udp
remote vpn.server.com 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobodypersist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Now, try to connect with incorrect user:
* Starting virtual private network daemon(s)…
* Autostarting VPN ‘client’
Enter Auth Username:wrong
Enter Auth Password:
[ OK ]
user@user-laptop:/etc/openvpn$ egrep AUTH /var/log/daemon.log
Oct 29 14:08:54 user-laptop ovpn-client[7728]: AUTH: Received AUTH_FAILED control message
Try again with correct user:
* Starting virtual private network daemon(s)…
* Autostarting VPN ‘client’
Enter Auth Username:user
Enter Auth Password:
[ OK ]
Voila! Worked…
Three cheers for Matt Hardy… thanks for sharing this link & process.
Hi,
Thanks for posting this up. One question, can I use the OpenVPN packaged in Ubuntu’s repositories or do I need to compile it from source like what you did?
Thanks.
Hi Mike, Yes you can use the OpenVPN included in the Ubuntu repositories, but you’ll need the OpenVPN src files to compile the auth-ldap plugin.
To do that you can just use apt-get source openvpn. Then specify the location of the source files when configuring auth-ldap as seen above.
Cheers,
-Matt
Hi Matt,
First thanks for posting this; this helped me understand on the plugin really works. At any rate I came into a road block though, I’ve followed your instructions up until testing the plugin, error keeps coming up when entering the ldap sample user:
LDAP bind failed: Invalid credentials
Unable to bind as uid=admin,ou=People,dc=csaa,dc=com
LDAP connect failed.
Authorization Failed!
LDAP bind failed: Invalid credentials
Unable to bind as uid=admin,ou=People,dc=csaa,dc=com
LDAP connect failed.
client-connect failed!
LDAP bind failed: Invalid credentials
Unable to bind as uid=admin,ou=People,dc=csaa,dc=com
LDAP connect failed.
client-disconnect failed!
I’m using Fedora Directory Server (389) as my backend LDAP which I pointed my vpn server to.
Here’s my auth-ldap.cfg:
# LDAP server URL
URL ldap://ldapmain1.csaa.com
# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN uid=admin,ou=People,dc=csaa,dc=com
# Bind Password
#Password SecretPassword
Password {SSHA}@$56347hgh7_)(567;”;ljkldpso098h%@*ks
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
#TLSEnable yes
# Follow LDAP Referrals (anonymously)
#FollowReferrals yes
# TLS CA Certificate File
#TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
# Base DN
BaseDN “ou=People,dc=csaa,dc=com”
# User Search Filter
SearchFilter “(&(uid=%u)(accountStatus=active))”
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
BaseDN “ou=Groups,dc=csaa,dc=com”
SearchFilter “(|(cn=developers)(cn=artists))”
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
Please help on any advise that you can give.
Cheers,
DB
Hi,
You might need to modify your bind string to match Fedora Directory Server. In my example I was binding to Active Directory, so the syntax of the two might be a little different.