使用 LDAP 的方式认证
1、实际上也有二种
一种用 openvpn-auth-ldap 即直接通过 LDAP 验证,
一种与 MysqL 认证相似使用 pam-ldap -->通过 PAM -->然后再找 LDAP 验证。
这里主要用 openvpn-auth-ldap (另一方法,安装 yum install nss_ldap 包后找文件 /usr/local/etc/auth-ldap.conf 复制 /usr/share/doc/nss_ldap_253/ldap.conf.pam_ldap /etc/pam_ldap.conf ,创建/etc/pam.d/openvpn)
2、自动安装
yum install openvpn-auth-ldap #会生成openvpn-auth-ldap.so文件
yum install openldap-clients #会生成ldap.conf文件
yum install -y ldap_utils #用于启用ldapsearch功能
3、生成openvpn-auth-ldap.so
yum安装目录为:/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
4、将openvpn-auth-ldap.so拷贝到openvpn的配置文件目录下
cp /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/
5.配置ldap配置文件
/usr/share/doc/openvpn-auth-ldap-2.0.3/auth-ldap.conf #该文件不能和openvpn的server.conf配置文件放在同一目录下,否则openvpn启动失败。可以新建一个目录放在里面。
#####################################################
<LDAP>
# LDAP server URL
URL ldap://192.168.1.1:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN "cn=openvpn,cn=Users,dc=dev,dc=com" #Users为目录名
Password "123456"
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=dev,ou=group,dc=com" #group为目录名
# User Search Filter
# SearchFilter "(&(sAMAccountName=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=groups,ou=dev,dc=kaolafm,dc=com"
SearchFilter "ou=ldapgroups" #安全组
MemberAttribute Member
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
################################################################
ldapsearch -LLL -x -h 172.28.4.103 -D "administrator@xx.com" -W -b "dc=syswin,dc=com" "*"
6、openvpn配置文件更改配置为使用ldap认证
plugin /etc/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
7、重启openvpn服务
service openvpn restart