Centos7+Openvpn使用Windows AD验证登陆

前端之家收集整理的这篇文章主要介绍了Centos7+Openvpn使用Windows AD验证登陆前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我们上一篇文章介绍了Centos7+openvpn使用本地用户和密码验证登陆的配置介绍,今天我们介绍Centos7+Openvpn使用Windows AD验证登陆,具体就不多介绍了,今天还是使用的是上一节安装的配置环境,对于今天的环境介绍,我们只是简单的修改即可

我们要使用Centos7+Openvpn使用Windows AD验证登陆,所以需要准备一条windows AD,其实说到windows AD,对于很多企业都在使用,看网上的很多文档都是使用的是openldap在做验证,但是对于大企业及一般企业来说,环境内都会有windows AD环境,所以跟windows AD集成起来相对还是比较方便管理用户的,具体见下:

环境介绍:

Hostname:DC

IP:

Role:AD、DNS、CA

DomainName:

Hostname:OPenvpn

IP:

Role:Openvpn

Hostname:Client

IP:

Role:openvpn client

以下为我的AD配置信息

我们新建了一个OU:IXMSOFTLDAP,然后在找个OU下我们创建了一些测试用户和使用OPenvpn来验证的usergroup,我们后面会将用户a、zs、添加到这组里面,只要是这个组的用户都可以使用openvpn

接下来就是准备openvpn使用LDAP验证的配置介绍了;

使用openvpn服务跟LDAP验证的话, 我们需要安装一个ldap插件----openvpn-auth-ldap

因为我们上一篇中介绍了,centos7安装一些服务使用yum安装的话,需要制定源,所以我们只是确认一下

[root@openvpnopenvpn]#cat/etc//
[epel]
name=aliyunepel
baseurl=
/epel/7Server/x86_64/

gpgcheck=0

[root@openvpn openvpn]#

有了源后,我们就开始安装ldap插件

yuminstallopenvpn-auth-ldap-y

安装完成

然后我们进入ldpa的配置目录

cd/etc/openvpn/auth/
vim

查看默认的配置文件内容

<LDAP>
#LDAPserverURL
URLldap://
#BindDN(IfyourLDAPserverdoesn'tsupportanonymousbinds)
#BindDNuid=Manager,ou=People,dc=example,dc=com
#BindPassword
#PasswordSecretPassword
#Networktimeout(inseconds)
Timeout15
#EnableStartTLS
TLSEnableyes
#FollowLDAPReferrals(anonymously)
FollowReferralsyes
#TLSCACertificateFile
TLSCACertFile/usr/local/etc/ssl/
#TLSCACertificateDirectory
TLSCACertDir/etc/ssl/certs
#ClientCertificateandkey
#IfTLSclientauthenticationisrequired
TLSCertFile/usr/local/etc/ssl/client-
TLSKeyFile/usr/local/etc/ssl/client-
#CipherSuite
#Thedefaultsareusuallyfinehere
#TLSCipherSuiteALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
#BaseDN
BaseDN"ou=People,dc=com"
#UserSearchFilter
SearchFilter"(&(uid=%u)(accountStatus=active))"
#RequireGroupMembership
RequireGroupfalse
#Addnon-groupmemberstoaPFtable(disabled)
#PFTableips_vpn_users
<Group>
BaseDN"ou=Groups,dc=com"
SearchFilter"(|(cn=developers)(cn=artists))"
MemberAttributeuniqueMember
#AddgroupmemberstoaPFtable(disabled)
#PFTableips_vpn_eng
</Group>
</Authorization>

我们同样备份一份,为了安全考虑,建议搭建都备份一下

cp

开始修改配置,清空内容进行编辑

echo>

然后粘贴以下内容

<LDAP>
#LDAPserverURL
#更改为AD服务器的ip
URLldap://
#BindDN(IfyourLDAPserverdoesn'tsupportanonymousbinds)
#BindDNuid=Manager,dc=com
#更改为域管理的dn,可以通过ldapsearch进行查询,-h的ip替换为服务器ip,-d换为管理员的dn,-b为基础的查询dn,*为所有
#ldapsearch-LLL-x-h-D"administrator@"-W-b"dc=xx,dc=com""*"
BindDN"CN=Administrator,CN=Users,DC=ixmsoft,DC=com"
#BindPassword
#PasswordSecretPassword
#域管理员的密码
Password123
#Networktimeout(inseconds)
Timeout15
#EnableStartTLS
TLSEnableno
#FollowLDAPReferrals(anonymously)
#FollowReferralsyes
#TLSCACertificateFile
#TLSCACertFile
#TLSCACertificateDirectory
#TLSCACertDir/etc/ssl/certs
#ClientCertificateandkey
#IfTLSclientauthenticationisrequired
#TLSCertFile/usr/local/etc/ssl/client-
#TLSKeyFile/usr/local/etc/ssl/client-
#CipherSuite
#Thedefaultsareusuallyfinehere
#TLSCipherSuiteALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
#BaseDN
#查询认证的基础dn
BaseDN"OU=IXMSOFTLDAP,DC=com"
#UserSearchFilter
#SearchFilter"(&(uid=%u)(accountStatus=active))"
#其中sAMAccountName=%u的意思是把sAMAccountName的字段取值为用户名,后面“memberof=CN=myvpn,DC=xx,DC=com”指向要认证的vpn用户组,这样任何用户使用vpn,只要加入这个组就好了
#SearchFilter"(&(sAMAccountName=%u)(memberof=CN=myvpn,OU=IXMSOFTLDAP,DC=com)"
SearchFilter"(&(sAMAccountName=%u))"
#RequireGroupMembership
RequireGroupfalse
#Addnon-groupmemberstoaPFtable(disabled)
#PFTableips_vpn_users
<Group>
#BaseDN"ou=Groups,dc=com"
#SearchFilter"(|(cn=developers)(cn=artists))"
#MemberAttributeuniqueMember
#AddgroupmemberstoaPFtable(disabled)
#PFTableips_vpn_eng
BaseDN"OU=IXMSOFTLDAP,DC=com"
SearchFilter"(|(cn=myvpn))"
MemberAttribute"member"
</Group>
</Authorization>

保存退出后,我们还需要修改openvpn的配置文件

默认的配置文件

cat/etc/openvpn/
port1194#监听端口
prototcp#监听协议
devtun#采用隧道
ca#ca证书路劲
cert#服务器证书路劲
key#服务器秘钥
dh#秘钥交换协议文件
server#给客户端分配的地址,注意:不能和vpn服务器的内部地址相同
ifconfig-pool-persist#访问记录
push"route"#允许客户端访问的地址网段
#push"redirect-gatewaydef1bypass-dhcp"
push"dhcp-optionDNS"#DHCP分配的DNS
push"dhcp-optionDNS"
keepalive10120#活动时间,10秒ping一次,120秒如果未收到响应视为断线
#cipherAES-256-CBC
max-clients100#允许最大连接数
#usernobody#用户
#groupnobody#用户组
persist-key
persist-tun
statusopenvpn-
log
verb5

我们需要在原有的默认配置文件添加以下三个参数:

plugin/usr/lib64/openvpn/plugin/lib/openvpn-auth-"/etc/openvpn/auth/cn=%u"
client-cert-not-required
username-as-common-name

添加后的结果为:

port1194#监听端口
prototcp#监听协议
devtun#采用隧道
ca#ca证书路劲
cert#服务器证书路劲
key#服务器秘钥
dh#秘钥交换协议文件
server#给客户端分配的地址,注意:不能和vpn服务器的内部地址相同
ifconfig-pool-persist#访问记录
push"route"#允许客户端访问的地址网段
#push"redirect-gatewaydef1bypass-dhcp"
push"dhcp-optionDNS"#DHCP分配的DNS
push"dhcp-optionDNS"
keepalive10120#活动时间,10秒ping一次,120秒如果未收到响应视为断线
#cipherAES-256-CBC
max-clients100#允许最大连接数
#usernobody#用户
#groupnobody#用户组
persist-key
persist-tun
statusopenvpn-
log
verb5
plugin/usr/lib64/openvpn/plugin/lib/openvpn-auth-"/etc/openvpn/auth/cn=%u"
client-cert-not-required
username-as-common-name

修改后,我们需要重启openvpn服务

systemctlrestart
openvpn@server

重启服务后,我们就可以测试了,客户端的配置我们不用修改,因为上一节文章中我们已经添加了一个默认的参数,然后使用的是本地账户登陆验证

auth-user-pass

以下为client端的默认配置

此时我们需要的是ca证书,其他证书都不需要了;

我们可以将ca的证书内容粘贴到ca配置选项中,如果用户多的话,只需要将这个配置文件替换即可。

client
devtun
prototcp
reomote1194
resolv-retryinfinite
nobind
persist-key
persist-tun
ca
#cert
#key
verb5
auth-user-pass

接下来我们就可以尝试使用AD用户进行登录

因为我们的配置是从OU=IXMSOFTLDAP下的myvpn用户组中获取用户,所以只要是myvpn组内的用户都是可以登陆的,

所以我们使用zs用户验证登陆

登陆成功

查看IP地址状态及openvpn连接状态

然后我们查看openvpn的log,我们通过log查看也是登陆完成的。

tail–f/etc/opevpn/

如果使用一个不再myvpn组内的用户--ls验证登陆会怎么样呢


这样ls用户会一直验证,提示输入账户及密码错误的现象。

然后我们查看log,会发现提示ls这个用户没有发现

注意:如果在使用Linux集成LDAP的时候,提示联系不到LDAP的话,我们可以先使用以下方法进行测试

yuminstall-yopenldap-clients

安装完成后,我们可以使用

ldapsearch参数进行测试
-b指定搜索范围
-D验证用户
ldapsearch-x-W-D"cn=administrator,cn=users,dc=ixmsoft,dc=com"-b"dc=ixmsoft,dc=com"-h-sonedn-LLL
ldapsearch-x-W-D"cn=administrator,dc=com"-h
ldapsearch-x-W-D"cn=administrator,dc=com"-b"ou=ixmsoftldap,dc=com"-h

执行后会提示输入域administrator的账户进行连接验证

输入密码后,会查询结果

ldapsearch-x-W-D"cn=administrator,dc=com"-h
[root@openvpn~]#ldapsearch-x-W-D"cn=administrator,dc=com"-h
EnterLDAPPassword:
#extendedLDIF
#
#LDAPv3
#base<ou=ixmsoftldap,dc=com>withscopesubtree
#filter:(objectclass=*)
#requesting:ALL
#
#IXMSOFTLDAP,dn:OU=IXMSOFTLDAP,DC=com
objectClass:top
objectClass:organizationalUnit
ou:IXMSOFTLDAP
distinguishedName:OU=IXMSOFTLDAP,DC=com
instanceType:4
whenCreated:
whenChanged:
uSNCreated:12814
uSNChanged:84683
name:IXMSOFTLDAP
objectGUID::cMItf70U20qyaLdCfU+LoA==
objectCategory:CN=Organizational-Unit,CN=Schema,CN=Configuration,D
C=com
dscorePropagationData:
dscorePropagationData:
dscorePropagationData:
dscorePropagationData:
dscorePropagationData:
#gavin,IXMSOFTLDAP,dn:CN=gavin,DC=com
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:user
cn:gavin
distinguishedName:CN=gavin,DC=com
instanceType:4
whenCreated:
whenChanged:
displayName:gavin
uSNCreated:12834
memberOf:CN=DomainAdmins,DC=com
memberOf:CN=EnterpriseAdmins,DC=com
memberOf:CN=SchemaAdmins,DC=com
uSNChanged:83107
name:gavin
objectGUID::EoJ2j0/CEEahljdqlm3M8Q==
userAccountControl:512
badPwdCount:0
codePage:0
countryCode:0
badPasswordTime:0
lastlogoff:0
lastlogon:0
pwdLastSet:131223940286681367
primaryGroupID:513
objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wTwQAAA==
adminCount:1
accountExpires:9223372036854775807
logonCount:0
sAMAccountName:gavin
sAMAccountType:805306368
userPrincipalName:gavin@
objectCategory:CN=Person,DC=com
dscorePropagationData:
dscorePropagationData:
dscorePropagationData:
dscorePropagationData:
#a,dn:CN=a,DC=com
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:user
cn:a
distinguishedName:CN=a,DC=com
instanceType:4
whenCreated:
whenChanged:
displayName:a
uSNCreated:76250
memberOf:CN=openvpnuser,DC=com
memberOf:CN=openvpn,OU=vpn,DC=com
memberOf:CN=myvpn,DC=com
uSNChanged:84656
proxyAddresses:SMTP:a@
name:a
objectGUID::UG7KmwzOpE+eCEQCIXYirg==
userAccountControl:66048
badPwdCount:0
codePage:0
countryCode:0
badPasswordTime:0
lastlogoff:0
lastlogon:131259971048958897
pwdLastSet:131273684370053522
primaryGroupID:513
objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/weQQAAA==
accountExpires:9223372036854775807
logonCount:125
sAMAccountName:a
sAMAccountType:805306368
showInAddressBook:CN=MailBoxes(VLV),CN=AllSystemAddressLists,CN=AddressLi
stsContainer,CN=ixmsoft,CN=MicrosoftExchange,CN=Services,D
C=ixmsoft,DC=com
showInAddressBook:CN=AllMailBoxes(VLV),CN=Addres
sListsContainer,CN=Configurati
on,DC=com
showInAddressBook:CN=AllRecipients(VLV),CN=Addre
ssListsContainer,CN=Configurat
ion,DC=com
showInAddressBook:CN=DefaultGlobalAddressList,CN=AllGlobalAddressLists,CN=AddressListsContainer,CN=Co
nfiguration,DC=com
showInAddressBook:CN=AllUsers,CN=AllAddressLists,CN=AddressListsContaine
r,DC
=com
legacyExchangeDN:/o=ixmsoft/ou=ExchangeAdministrativeGroup(FYDIBOHF23SPDLT
)/cn=Recipients/cn=f7a926c52baa45ac83d487105a17abb5-a
userPrincipalName:a@
objectCategory:CN=Person,DC=com
dscorePropagationData:
lastlogonTimestamp:131259433371916627
uid:a
mail:a@
mailNickname:a
msExchPoliciesIncluded:cfdf87af-dd7f-4a7b-85e4-e0ba077efe78
msExchPoliciesIncluded:{26491cfc-9e50-4857-861b-0cb8df22b5d7}
msExchCalendarLoggingQuota:6291456
msExchRecipientDisplayType:1073741824
mDBUseDefaults:TRUE
msExchTextMessagingState:302120705
msExchTextMessagingState:16842751
msExchArchiveQuota:104857600
msExchMailBoxGuid::ii4VjsET5kqpVJcdHpSOhg==
homeMDB:CN=MailBoxDatabase1277431463,CN=Databases,CN=ExchangeAdministrativ
eGroup(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=MicrosoftEx
change,DC=com
msExchUserCulture:zh-CN
msExchRecipientTypeDetails:1
msExchMailBoxSecurityDescriptor::AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAAB
AQAAAAAABQoAAAAEABwAAQAAAAACFAABAAIAAQEAAAAAAAUKAAAA
msExchUserAccountControl:0
msExchUMDtmfMap:emailAddress:2
msExchUMDtmfMap:lastNameFirstName:2
msExchUMDtmfMap:firstNameLastName:2
msExchWhenMailBoxCreated:
msExchHomeServerName:/o=ixmsoft/ou=ExchangeAdministrativeGroup(FYDIBOHF23S
PDLT)/cn=Configuration/cn=Servers/cn=EX01
msExchDumpsterQuota:31457280
msExchDumpsterWarningQuota:20971520
msExchVersion:88218628259840
msExchRBACPolicyLink:CN=DefaultRoleAssignmentPolicy,CN=Policies,CN=RBAC,CN
=ixmsoft,DC=com
msExchArchiveWarnQuota:94371840
#myvpn,dn:CN=myvpn,DC=com
objectClass:top
objectClass:group
cn:myvpn
description:opvpn_group
member:CN=zs,DC=com
member:CN=a,DC=com
distinguishedName:CN=myvpn,DC=com
instanceType:4
whenCreated:
whenChanged:
uSNCreated:84617
uSNChanged:84692
name:myvpn
objectGUID::iCieup3yF0CcvkrZ5K4owQ==
objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wewQAAA==
sAMAccountName:myvpn
sAMAccountType:268435456
groupType:-2147483646
objectCategory:CN=Group,DC=com
dscorePropagationData:
dscorePropagationData:
#zs,dn:CN=zs,DC=com
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:user
cn:zs
distinguishedName:CN=zs,DC=com
instanceType:4
whenCreated:
whenChanged:
displayName:zs
uSNCreated:84685
memberOf:CN=myvpn,DC=com
uSNChanged:84707
name:zs
objectGUID::aGJRtfM4BkqcoXKrRtKeFQ==
userAccountControl:512
badPwdCount:0
codePage:0
countryCode:0
badPasswordTime:0
lastlogoff:0
lastlogon:0
pwdLastSet:131273840680565017
primaryGroupID:513
objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wfwQAAA==
accountExpires:9223372036854775807
logonCount:0
sAMAccountName:zs
sAMAccountType:805306368
userPrincipalName:zs@
objectCategory:CN=Person,DC=com
dscorePropagationData:
dscorePropagationData:
#sqladmin,dn:CN=sqladmin,DC=com
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:user
cn:sqladmin
distinguishedName:CN=sqladmin,DC=com
instanceType:4
whenCreated:
whenChanged:
displayName:sqladmin
uSNCreated:14261
uSNChanged:83109
name:sqladmin
objectGUID::/orLK52ZskWhDhcGqz1k5A==
userAccountControl:512
badPwdCount:0
codePage:0
countryCode:0
badPasswordTime:131224606337808745
lastlogoff:0
lastlogon:131225414441612134
pwdLastSet:131224588326777247
primaryGroupID:513
objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOcmw/wVQQAAA==
accountExpires:9223372036854775807
logonCount:48
sAMAccountName:sqladmin
sAMAccountType:805306368
userPrincipalName:sqladmin@
objectCategory:CN=Person,DC=com
dscorePropagationData:
dscorePropagationData:
lastlogonTimestamp:131224588677494199
#searchresult
search:2
result:0Success
#numResponses:7
#numEntries:6

猜你在找的CentOS相关文章