安装 OpenVPN LDAP 认证插件

安装 openvpn 认证插件 openvpn-auth-ldap

yum install openvpn-auth-ldap

查看该插件相关文件安装路径:

$ rpm -ql openvpn-auth-ldap
/etc/openvpn/auth
/etc/openvpn/auth/ldap.conf
/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
/usr/share/doc/openvpn-auth-ldap-2.0.3
/usr/share/doc/openvpn-auth-ldap-2.0.3/LICENSE
/usr/share/doc/openvpn-auth-ldap-2.0.3/README
/usr/share/doc/openvpn-auth-ldap-2.0.3/auth-ldap.conf

主要关注以下两个文件:

# LDAP 插件的配置文件
/etc/openvpn/auth/ldap.conf

# LDAP 认证插件的核心可执行文件
/usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so

配置 LDAP 认证文件

编辑配置文件/etc/openvpn/auth/ldap.conf,完善LDAP相关配置项,例如:

<LDAP>
	# LDAP server URL
	URL		ldap://ldap1.example.org

	# Bind DN (If your LDAP server doesn't support anonymous binds)
	BindDN		uid=Manager,ou=People,dc=example,dc=com

	# Bind Password
	Password      SecretPassword

	# Network timeout (in seconds)
	Timeout		15

	# Enable Start TLS
	TLSEnable	no

	# Follow LDAP Referrals (anonymously)
	FollowReferrals yes

	# TLS CA Certificate File
	# TLSCACertFile	/usr/local/etc/ssl/ca.pem

	# TLS CA Certificate Directory
	# TLSCACertDir	/etc/ssl/certs

	# Client Certificate and key
	# If TLS client authentication is required
	# TLSCertFile	/usr/local/etc/ssl/client-cert.pem
	# TLSKeyFile	/usr/local/etc/ssl/client-key.pem

	# Cipher Suite
	# The defaults are usually fine here
	# TLSCipherSuite	ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
	# Base DN
	BaseDN		"ou=People,dc=example,dc=com"

	# User Search Filter
	SearchFilter	"(&(uid=%u))"

	# Require Group Membership
	RequireGroup	false

	# Add non-group members to a PF table (disabled)
	#PFTable	ips_vpn_users

	<Group>
		BaseDN          "ou=Groups,dc=example,dc=com"
		SearchFilter	"(|(cn=developers)(cn=artists))"
		MemberAttribute	uniqueMember
		# Add group members to a PF table (disabled)
		#PFTable	ips_vpn_eng
	</Group>
</Authorization>

配置 OpenVPN 集成 LDAP 认证

编辑 OpenVPN 配置文件 /etc/openvpn/server.conf,添加如下配置:

plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf %u"

如果之前是通过自定义脚本配置的用户名校验,再这里集成了LDAP后可以进行注释了:

;script-security 3
;auth-user-pass-verify /etc/openvpn/scripts/check-passwd.sh via-env

更新完配置后,重启OpenVPN服务端以使配置生效:

systemctl restart openvpn@server.service

使用 LDAP 工具进行调试(可选)

安装LDAP客户端工具:

yum install openldap-clients

使用命令 ldapsearch 进行测试,以确保可以正确查询用户。例如查询是否存在 zhangsan 这个用户:

ldapsearch -x -LLL -H ldap://ldap1.example.org -D "uid=Manager,ou=People,dc=example,dc=com" -w "SecretPassword" -b "ou=People,dc=example,dc=com" "(uid=zhangsan)"

请替换相应的 LDAP 服务器地址、管理员绑定 DN 和密码,确保该查询能够返回正确的用户信息。如果查询失败,可能需要检查 LDAP 服务器配置。