我们上一篇你文章介绍了Centos7+openvpn使用本地用户和密码验证登陆的配置介绍,今天我们介绍Centos7+Openvpn使用Windows AD验证登陆,具体就不多介绍了,今天还是使用的是上一节安装的配置环境,对于今天的环境介绍,我们只是简单的修改即可
我们要使用Centos7+Openvpn使用Windows AD验证登陆,所以需要准备一条windows AD,其实说到windows AD,对于很多企业都在使用,看网上的很多文档都是使用的是openldap在做验证,但是对于大企业及一般企业来说,环境内都会有windows AD环境,所以跟windows AD集成起来相对还是比较方便管理用户的,具体见下:
环境介绍:
Hostname:DC
IP:
Role:AD、DNS、CA
DomainName:
Hostname:OPenvpn
IP:
Role:Openvpn
Hostname:Client
IP:
Role:openvpn client
以下为我的AD配置信息
我们新建了一个OU:IXMSOFTLDAP,然后在找个OU下我们创建了一些测试用户和使用OPenvpn来验证的usergroup,我们后面会将用户a、zs、添加到这组里面,只要是这个组的用户都可以使用openvpn
接下来就是准备openvpn使用LDAP验证的配置介绍了;
使用openvpn服务跟LDAP验证的话, 我们需要安装一个ldap插件----openvpn-auth-ldap
因为我们上一篇中介绍了,centos7安装一些服务使用yum安装的话,需要制定源,所以我们只是确认一下
[root@openvpnopenvpn]#cat/etc//
[epel] name=aliyunepel baseurl= /epel/7Server/x86_64/ gpgcheck=0
[root@openvpn openvpn]#
有了源后,我们就开始安装ldap插件
yuminstallopenvpn-auth-ldap-y
安装完成
然后我们进入ldpa的配置目录
cd/etc/openvpn/auth/
vim
<LDAP> #LDAPserverURL URLldap:// #BindDN(IfyourLDAPserverdoesn'tsupportanonymousbinds) #BindDNuid=Manager,ou=People,dc=example,dc=com #BindPassword #PasswordSecretPassword #Networktimeout(inseconds) Timeout15 #EnableStartTLS TLSEnableyes #FollowLDAPReferrals(anonymously) FollowReferralsyes #TLSCACertificateFile TLSCACertFile/usr/local/etc/ssl/ #TLSCACertificateDirectory TLSCACertDir/etc/ssl/certs #ClientCertificateandkey #IfTLSclientauthenticationisrequired TLSCertFile/usr/local/etc/ssl/client- TLSKeyFile/usr/local/etc/ssl/client- #CipherSuite #Thedefaultsareusuallyfinehere #TLSCipherSuiteALL:!ADH:@STRENGTH </LDAP> <Authorization> #BaseDN BaseDN"ou=People,dc=com" #UserSearchFilter SearchFilter"(&(uid=%u)(accountStatus=active))" #RequireGroupMembership RequireGroupfalse #Addnon-groupmemberstoaPFtable(disabled) #PFTableips_vpn_users <Group> BaseDN"ou=Groups,dc=com" SearchFilter"(|(cn=developers)(cn=artists))" MemberAttributeuniqueMember #AddgroupmemberstoaPFtable(disabled) #PFTableips_vpn_eng </Group> </Authorization>
我们同样备份一份,为了安全考虑,建议搭建都备份一下
cp
echo>
然后粘贴以下内容
<LDAP> #LDAPserverURL #更改为AD服务器的ip URLldap:// #BindDN(IfyourLDAPserverdoesn'tsupportanonymousbinds) #BindDNuid=Manager,dc=com #更改为域管理的dn,可以通过ldapsearch进行查询,-h的ip替换为服务器ip,-d换为管理员的dn,-b为基础的查询dn,*为所有 #ldapsearch-LLL-x-h-D"administrator@"-W-b"dc=xx,dc=com""*" BindDN"CN=Administrator,CN=Users,DC=ixmsoft,DC=com" #BindPassword #PasswordSecretPassword #域管理员的密码 Password123 #Networktimeout(inseconds) Timeout15 #EnableStartTLS TLSEnableno #FollowLDAPReferrals(anonymously) #FollowReferralsyes #TLSCACertificateFile #TLSCACertFile #TLSCACertificateDirectory #TLSCACertDir/etc/ssl/certs #ClientCertificateandkey #IfTLSclientauthenticationisrequired #TLSCertFile/usr/local/etc/ssl/client- #TLSKeyFile/usr/local/etc/ssl/client- #CipherSuite #Thedefaultsareusuallyfinehere #TLSCipherSuiteALL:!ADH:@STRENGTH </LDAP> <Authorization> #BaseDN #查询认证的基础dn BaseDN"OU=IXMSOFTLDAP,DC=com" #UserSearchFilter #SearchFilter"(&(uid=%u)(accountStatus=active))" #其中sAMAccountName=%u的意思是把sAMAccountName的字段取值为用户名,后面“memberof=CN=myvpn,DC=xx,DC=com”指向要认证的vpn用户组,这样任何用户使用vpn,只要加入这个组就好了 #SearchFilter"(&(sAMAccountName=%u)(memberof=CN=myvpn,OU=IXMSOFTLDAP,DC=com)" SearchFilter"(&(sAMAccountName=%u))" #RequireGroupMembership RequireGroupfalse #Addnon-groupmemberstoaPFtable(disabled) #PFTableips_vpn_users <Group> #BaseDN"ou=Groups,dc=com" #SearchFilter"(|(cn=developers)(cn=artists))" #MemberAttributeuniqueMember #AddgroupmemberstoaPFtable(disabled) #PFTableips_vpn_eng BaseDN"OU=IXMSOFTLDAP,DC=com" SearchFilter"(|(cn=myvpn))" MemberAttribute"member" </Group> </Authorization>
默认的配置文件
cat/etc/openvpn/ port1194#监听端口 prototcp#监听协议 devtun#采用隧道 ca#ca证书路劲 cert#服务器证书路劲 key#服务器秘钥 dh#秘钥交换协议文件 server#给客户端分配的地址,注意:不能和vpn服务器的内部地址相同 ifconfig-pool-persist#访问记录 push"route"#允许客户端访问的地址网段 #push"redirect-gatewaydef1bypass-dhcp" push"dhcp-optionDNS"#DHCP分配的DNS push"dhcp-optionDNS" keepalive10120#活动时间,10秒ping一次,120秒如果未收到响应视为断线 #cipherAES-256-CBC max-clients100#允许最大连接数 #usernobody#用户 #groupnobody#用户组 persist-key persist-tun statusopenvpn- log verb5
plugin/usr/lib64/openvpn/plugin/lib/openvpn-auth-"/etc/openvpn/auth/cn=%u" client-cert-not-required username-as-common-name
添加后的结果为:
port1194#监听端口 prototcp#监听协议 devtun#采用隧道 ca#ca证书路劲 cert#服务器证书路劲 key#服务器秘钥 dh#秘钥交换协议文件 server#给客户端分配的地址,注意:不能和vpn服务器的内部地址相同 ifconfig-pool-persist#访问记录 push"route"#允许客户端访问的地址网段 #push"redirect-gatewaydef1bypass-dhcp" push"dhcp-optionDNS"#DHCP分配的DNS push"dhcp-optionDNS" keepalive10120#活动时间,10秒ping一次,120秒如果未收到响应视为断线 #cipherAES-256-CBC max-clients100#允许最大连接数 #usernobody#用户 #groupnobody#用户组 persist-key persist-tun statusopenvpn- log verb5 plugin/usr/lib64/openvpn/plugin/lib/openvpn-auth-"/etc/openvpn/auth/cn=%u" client-cert-not-required username-as-common-name
修改后,我们需要重启openvpn服务
systemctlrestart openvpn@server
重启服务后,我们就可以测试了,客户端的配置我们不用修改,因为上一节文章中我们已经添加了一个默认的参数,然后使用的是本地账户登陆验证
auth-user-pass
以下为client端的默认配置
此时我们需要的是ca证书,其他证书都不需要了;
我们可以将ca的证书内容粘贴到ca配置选项中,如果用户多的话,只需要将这个配置文件替换即可。
client devtun prototcp reomote1194 resolv-retryinfinite nobind persist-key persist-tun ca #cert #key verb5 auth-user-pass
因为我们的配置是从OU=IXMSOFTLDAP下的myvpn用户组中获取用户,所以只要是myvpn组内的用户都是可以登陆的,
所以我们使用zs用户验证登陆
登陆成功
查看IP地址状态及openvpn连接状态
然后我们查看openvpn的log,我们通过log查看也是登陆完成的。
tail–f/etc/opevpn/
如果使用一个不再myvpn组内的用户--ls验证登陆会怎么样呢
注意:如果在使用Linux集成LDAP的时候,提示联系不到LDAP的话,我们可以先使用以下方法进行测试
yuminstall-yopenldap-clients
安装完成后,我们可以使用
ldapsearch参数进行测试 -b指定搜索范围 -D验证用户 ldapsearch-x-W-D"cn=administrator,cn=users,dc=ixmsoft,dc=com"-b"dc=ixmsoft,dc=com"-h-sonedn-LLL ldapsearch-x-W-D"cn=administrator,dc=com"-h ldapsearch-x-W-D"cn=administrator,dc=com"-b"ou=ixmsoftldap,dc=com"-h
执行后会提示输入域administrator的账户进行连接验证
输入密码后,会查询结果
ldapsearch-x-W-D"cn=administrator,dc=com"-h [root@openvpn~]#ldapsearch-x-W-D"cn=administrator,dc=com"-h EnterLDAPPassword: #extendedLDIF # #LDAPv3 #base<ou=ixmsoftldap,dc=com>withscopesubtree #filter:(objectclass=*) #requesting:ALL # #IXMSOFTLDAP,dn:OU=IXMSOFTLDAP,DC=com objectClass:top objectClass:organizationalUnit ou:IXMSOFTLDAP distinguishedName:OU=IXMSOFTLDAP,DC=com instanceType:4 whenCreated: whenChanged: uSNCreated:12814 uSNChanged:84683 name:IXMSOFTLDAP objectGUID::cMItf70U20qyaLdCfU+LoA== objectCategory:CN=Organizational-Unit,CN=Schema,CN=Configuration,D C=com dscorePropagationData: dscorePropagationData: dscorePropagationData: dscorePropagationData: dscorePropagationData: #gavin,IXMSOFTLDAP,dn:CN=gavin,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:gavin distinguishedName:CN=gavin,DC=com instanceType:4 whenCreated: whenChanged: displayName:gavin uSNCreated:12834 memberOf:CN=DomainAdmins,DC=com memberOf:CN=EnterpriseAdmins,DC=com memberOf:CN=SchemaAdmins,DC=com uSNChanged:83107 name:gavin objectGUID::EoJ2j0/CEEahljdqlm3M8Q== userAccountControl:512 badPwdCount:0 codePage:0 countryCode:0 badPasswordTime:0 lastlogoff:0 lastlogon:0 pwdLastSet:131223940286681367 primaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wTwQAAA== adminCount:1 accountExpires:9223372036854775807 logonCount:0 sAMAccountName:gavin sAMAccountType:805306368 userPrincipalName:gavin@ objectCategory:CN=Person,DC=com dscorePropagationData: dscorePropagationData: dscorePropagationData: dscorePropagationData: #a,dn:CN=a,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:a distinguishedName:CN=a,DC=com instanceType:4 whenCreated: whenChanged: displayName:a uSNCreated:76250 memberOf:CN=openvpnuser,DC=com memberOf:CN=openvpn,OU=vpn,DC=com memberOf:CN=myvpn,DC=com uSNChanged:84656 proxyAddresses:SMTP:a@ name:a objectGUID::UG7KmwzOpE+eCEQCIXYirg== userAccountControl:66048 badPwdCount:0 codePage:0 countryCode:0 badPasswordTime:0 lastlogoff:0 lastlogon:131259971048958897 pwdLastSet:131273684370053522 primaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/weQQAAA== accountExpires:9223372036854775807 logonCount:125 sAMAccountName:a sAMAccountType:805306368 showInAddressBook:CN=MailBoxes(VLV),CN=AllSystemAddressLists,CN=AddressLi stsContainer,CN=ixmsoft,CN=MicrosoftExchange,CN=Services,D C=ixmsoft,DC=com showInAddressBook:CN=AllMailBoxes(VLV),CN=Addres sListsContainer,CN=Configurati on,DC=com showInAddressBook:CN=AllRecipients(VLV),CN=Addre ssListsContainer,CN=Configurat ion,DC=com showInAddressBook:CN=DefaultGlobalAddressList,CN=AllGlobalAddressLists,CN=AddressListsContainer,CN=Co nfiguration,DC=com showInAddressBook:CN=AllUsers,CN=AllAddressLists,CN=AddressListsContaine r,DC =com legacyExchangeDN:/o=ixmsoft/ou=ExchangeAdministrativeGroup(FYDIBOHF23SPDLT )/cn=Recipients/cn=f7a926c52baa45ac83d487105a17abb5-a userPrincipalName:a@ objectCategory:CN=Person,DC=com dscorePropagationData: lastlogonTimestamp:131259433371916627 uid:a mail:a@ mailNickname:a msExchPoliciesIncluded:cfdf87af-dd7f-4a7b-85e4-e0ba077efe78 msExchPoliciesIncluded:{26491cfc-9e50-4857-861b-0cb8df22b5d7} msExchCalendarLoggingQuota:6291456 msExchRecipientDisplayType:1073741824 mDBUseDefaults:TRUE msExchTextMessagingState:302120705 msExchTextMessagingState:16842751 msExchArchiveQuota:104857600 msExchMailBoxGuid::ii4VjsET5kqpVJcdHpSOhg== homeMDB:CN=MailBoxDatabase1277431463,CN=Databases,CN=ExchangeAdministrativ eGroup(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=MicrosoftEx change,DC=com msExchUserCulture:zh-CN msExchRecipientTypeDetails:1 msExchMailBoxSecurityDescriptor::AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAAB AQAAAAAABQoAAAAEABwAAQAAAAACFAABAAIAAQEAAAAAAAUKAAAA msExchUserAccountControl:0 msExchUMDtmfMap:emailAddress:2 msExchUMDtmfMap:lastNameFirstName:2 msExchUMDtmfMap:firstNameLastName:2 msExchWhenMailBoxCreated: msExchHomeServerName:/o=ixmsoft/ou=ExchangeAdministrativeGroup(FYDIBOHF23S PDLT)/cn=Configuration/cn=Servers/cn=EX01 msExchDumpsterQuota:31457280 msExchDumpsterWarningQuota:20971520 msExchVersion:88218628259840 msExchRBACPolicyLink:CN=DefaultRoleAssignmentPolicy,CN=Policies,CN=RBAC,CN =ixmsoft,DC=com msExchArchiveWarnQuota:94371840 #myvpn,dn:CN=myvpn,DC=com objectClass:top objectClass:group cn:myvpn description:opvpn_group member:CN=zs,DC=com member:CN=a,DC=com distinguishedName:CN=myvpn,DC=com instanceType:4 whenCreated: whenChanged: uSNCreated:84617 uSNChanged:84692 name:myvpn objectGUID::iCieup3yF0CcvkrZ5K4owQ== objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wewQAAA== sAMAccountName:myvpn sAMAccountType:268435456 groupType:-2147483646 objectCategory:CN=Group,DC=com dscorePropagationData: dscorePropagationData: #zs,dn:CN=zs,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:zs distinguishedName:CN=zs,DC=com instanceType:4 whenCreated: whenChanged: displayName:zs uSNCreated:84685 memberOf:CN=myvpn,DC=com uSNChanged:84707 name:zs objectGUID::aGJRtfM4BkqcoXKrRtKeFQ== userAccountControl:512 badPwdCount:0 codePage:0 countryCode:0 badPasswordTime:0 lastlogoff:0 lastlogon:0 pwdLastSet:131273840680565017 primaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wfwQAAA== accountExpires:9223372036854775807 logonCount:0 sAMAccountName:zs sAMAccountType:805306368 userPrincipalName:zs@ objectCategory:CN=Person,DC=com dscorePropagationData: dscorePropagationData: #sqladmin,dn:CN=sqladmin,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:sqladmin distinguishedName:CN=sqladmin,DC=com instanceType:4 whenCreated: whenChanged: displayName:sqladmin uSNCreated:14261 uSNChanged:83109 name:sqladmin objectGUID::/orLK52ZskWhDhcGqz1k5A== userAccountControl:512 badPwdCount:0 codePage:0 countryCode:0 badPasswordTime:131224606337808745 lastlogoff:0 lastlogon:131225414441612134 pwdLastSet:131224588326777247 primaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wVQQAAA== accountExpires:9223372036854775807 logonCount:48 sAMAccountName:sqladmin sAMAccountType:805306368 userPrincipalName:sqladmin@ objectCategory:CN=Person,DC=com dscorePropagationData: dscorePropagationData: lastlogonTimestamp:131224588677494199 #searchresult search:2 result:0Success #numResponses:7 #numEntries:6