Hi,
On 12/01/18 09:44, eisenmad wrote:
I have some problems, probably very easy ones but I am total new to
this kind of implementation.
I have to configure an OpenVPN Server on a Raspberry Pi that
authenticates against LDAP. I have a little experience with an OpenVPN
Server that don't use LDAP. I installed openvpn-auth-ldap and edited
auth-ldap.conf.
<LDAP>
# LDAP server URL
URL ldap://ldap.jumpcloud.com:636
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "o=BaseDN_I_got_from_the_LDAP_admin,dc=jumpcloud,dc=com"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(&(uid=%u))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
My OpenVPN server.conf is:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.0.1"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
plugin /usr/lib/openvpn/openvpn-auth-ldap.so
/etc/openvpn/auth/auth-ldap.conf login
client-cert-not-required
I copied my client.ovpn and the ca.crt from the OpenVPN Server to my
Windows 10 machine and installed OpenVPN-Gui. Now a connection to the
vpn server is working and I could login in the network. Now I have the
following questions:
what's in your client.ovpn file? a client-side certificate? a line with
'auth-user-pass' in it?
I could login but I didn't have to pass my LDAP user und password for
login. The jumpcloud admin made a test account for me. How to validate
this?
the jumpcloud ldap service seems accessible via the internet, so you can
validate using e.g.
ldapsearch -W -D uid=TestAccount,ou=Groups,dc=example,dc=com -H
ldaps://ldap.jumpcloud.com
-b uid=TestAccount,ou=Groups,dc=example,dc=com
if it accepts an empty password then the jumpcloud admin did not set one
(which would be ***BAD*** for a publicly accessible LDAP server).
And is it normal that you could login without any user and password?
All I did was copying the client.ovpn and ca.crt to the config folder
of OpenVPN-Gui.
I would not consider that normal, but if your client config contains a
valid cert+key pair then user auth is not required per se.
HTH,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
