Want to use new features? check out the latest push and read source:UPGRADE-from-0.0.X.txt

OpenVPN LDAP Auth Plugin

Forewords

This plugin was tested on OpenVPN 2.1 and might not work against 2.0 until a small change it made (see issue #2)

Also, only start_tls and clear text connection are supported so far.

Downloading

Releases can be downloaded from GitHub Repository download page

Source code is accessible via Git@GitHub

Dependencies

Debian Lenny / Ubuntu 9.10

The following packages are required to build this plugin:

  • libldap2-dev
  • libpthread-stubs0-dev
  • libtool
  • automake

To use this plugin you only need the following:

  • libldap-2.4-2
  • libpthread-stubs0

Installation

In order to compile and install this plugin you need to run the following:

$ aclocal
$ autoconf
$ libtoolize
$ automake --add-missing
$ ./configure
$ make
$ sudo make install

or

$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

Optionally, if you only ran make, you can copy the .so files
from src/.libs/

Server configuration

In a nutshell, configuring this plugin consists of two steps:

  • Creating a configuration file for this plugin (e.g. /etc/openvpn/ldap-auth-config)
  • Editing the OpenVPN configuration file (e.g. /etc/openvpn/default.conf) to load this plugin and it's configuration file automatically

For more information about using alternate authentication methods, see http://openvpn.net/index.php/open-source/documentation/howto.html#auth

LDAP plugin configuration

First copy the example configuration file from tests/config.conf to your OpenVPN configuration directory (e.g. /etc/openvpn). The same file is shown below - note that %u will be replaced by the username provided by the client:

uri=ldap://192.168.9.135
search_filter=(uid=%u)
basedn=ou=users,dc=example,dc=com
binddn=cn=admin,dc=example,dc=com
bindpw=secret
version=3
#ssl=start_tls
ssl=off
groupdn=ou=roles,dc=example,dc=com
group_search_filter=|(cn=vpn)(cn=sysadmins)
member_attribute=member

Default values are:

uri=ldap://localhost
basedn=ou=users,dc=example,dc=com
search_filter=(uid=%u)
ssl=off

If you're running Debian/Ubuntu and have configured the openvpn init script to launch all VPNs automatically (see /etc/default/openvpn), you should avoid using the *.conf suffix for this LDAP plugin configuration file. Otherwise the init script will try to load it as a VPN configuration which obviously fails.

OpenVPN configuration

Next edit the main OpenVPN config file (e.g. /etc/openvpn/default.conf). If you want to use authenticate client only from LDAP, add

client-cert-not-required

somewhere. You probably want to use this, too:

username-as-common-name

Next make sure the plugin is loaded by adding something like this to the end:

plugin /etc/openvpn/ldap-auth/libopenvpn-ldap-auth.so -c /etc/openvpn/ldap-auth-config

If you used make install, the .so file is probably in /usr/local/lib. Note that this syntax is the same as the one provided by the testplugin tool (see below). Also note that LDAP authentication is using deferred functionality. As such, the plugin (running with low privileges) needs to be able to with to the tmp dir. Adding:

tmp-dir /dev/shm

to your openvpn config will allow writing to file.

Client configuration

If you use LDAP authentication only, you can safely remove/skip the cert and key directives in OpenVPN configuration file. The ca entry is still required, as is tls-auth directive if used by the server. If you want users to type in their username/password interactively when VPN starts, use this directive:

auth-user-pass

If you want to make VPN launch automatically, you need to put the username and password into a file, e.g. /etc/openvpn/default.pass:

myusername
mypassowrd

In addition, you need to use auth-user-pass entry like this:

auth-user-pass /etc/openvpn/default.pass

Command line arguments

On top of -c the following argument can be passed to the plugin:

  • -H : LDAP URI
  • -D : Bind DN
  • -W : Bind Password
  • -b : Base DN
  • -f : Search filter
  • -t : Timeout
  • -Z : set start_tls to True

Troubleshooting

Once you have an OpenVPN process running, you can test authentication with tests/testplugin binary within the source code tree. Normally you'd do something like this:

$ cd tests
$ ./testplugin -c /etc/openvpn/ldap-auth-config

The testplugin tool will output lots of useful information, but monitoring the LDAP server logs / console output also helps.