CentOS6.8中openvpn联动windows ldap做认证

前端之家收集整理的这篇文章主要介绍了CentOS6.8中openvpn联动windows ldap做认证前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

使用 LDAP 的方式认证


1、实际上也有二种

一种用 openvpn-auth-ldap 即直接通过 LDAP 验证,

一种与 MysqL 认证相似使用 pam-ldap -->通过 PAM -->然后再找 LDAP 验证。

这里主要用 openvpn-auth-ldap (另一方法,安装 yum install nss_ldap 包后找文件 /usr/local/etc/auth-ldap.conf 复制 /usr/share/doc/nss_ldap_253/ldap.conf.pam_ldap /etc/pam_ldap.conf ,创建/etc/pam.d/openvpn)


2、自动安装

yum install openvpn-auth-ldap #会生成openvpn-auth-ldap.so文件

yum install openldap-clients #会生成ldap.conf文件

yum install -y ldap_utils #用于启用ldapsearch功能


3、生成openvpn-auth-ldap.so

yum安装目录为:/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so


4、将openvpn-auth-ldap.so拷贝到openvpn的配置文件目录下

cp /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/


5.配置ldap配置文件

/usr/share/doc/openvpn-auth-ldap-2.0.3/auth-ldap.conf #该文件不能和openvpn的server.conf配置文件放在同一目录下,否则openvpn启动失败。可以新建一个目录放在里面。

#####################################################

<LDAP>
# LDAP server URL
URL ldap://192.168.1.1:389

# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN "cn=openvpn,cn=Users,dc=dev,dc=com" #Users为目录名
Password "123456"

# Bind Password
# Password SecretPassword

# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable no

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
BaseDN "ou=dev,ou=group,dc=com" #group为目录名

# User Search Filter
# SearchFilter "(&(sAMAccountName=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u))"

# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>

BaseDN "ou=groups,ou=dev,dc=kaolafm,dc=com"
SearchFilter "ou=ldapgroups" #安全组
MemberAttribute Member
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>

################################################################

测试ldap查询功能

#windows 查询方法

ldapsearch -LLL -x -h 172.28.4.103 -D "administrator@xx.com" -W -b "dc=syswin,dc=com" "*"


6、openvpn配置文件更改配置为使用ldap认证

plugin /etc/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"


7、重启openvpn服务

service openvpn restart

猜你在找的CentOS相关文章