diff options
author | Christian Poessinger <christian@poessinger.com> | 2019-08-05 14:37:39 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2019-08-06 09:35:07 +0200 |
commit | cdd4d727b11b5361051f1c1ad548e265612dc2ae (patch) | |
tree | 7d00f32d2d63dd2c669d180b4a131b00e0ae5d4c /docs/vpn/openvpn.rst | |
parent | 1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40 (diff) | |
download | vyos-documentation-cdd4d727b11b5361051f1c1ad548e265612dc2ae.tar.gz vyos-documentation-cdd4d727b11b5361051f1c1ad548e265612dc2ae.zip |
OpenVPN: add second Active Directory auth example
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r-- | docs/vpn/openvpn.rst | 65 |
1 files changed, 42 insertions, 23 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 5451c78d..5a269b43 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -270,34 +270,53 @@ Despite the fact that AD is a superset of LDAP .. code-block:: sh <LDAP> - # LDAP server URL - URL ldap://dc01.example.com - # Bind DN (If your LDAP server doesn’t support anonymous binds) - BindDN CN=LDAPUser,DC=example,DC=com - # Bind Password - Password mysecretpassword - # Network timeout (in seconds) - Timeout 15 - # Enable Start TLS - TLSEnable no - # Follow LDAP Referrals (anonymously) - FollowReferrals no + # LDAP server URL + URL ldap://dc01.example.com + # Bind DN (If your LDAP server doesn’t support anonymous binds) + BindDN CN=LDAPUser,DC=example,DC=com + # Bind Password + Password mysecretpassword + # Network timeout (in seconds) + Timeout 15 + # Enable Start TLS + TLSEnable no + # Follow LDAP Referrals (anonymously) + FollowReferrals no </LDAP> <Authorization> - # Base DN - BaseDN "DC=example,DC=com" - # User Search Filter, user must be a member of the VPN AD group - SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" - # Require Group Membership - RequireGroup false # already handled by SearchFilter - <Group> - BaseDN "OU=Groups,DC=example,DC=com" - SearchFilter "(|(cn=VPN))" - MemberAttribute memberOf - </Group> + # Base DN + BaseDN "DC=example,DC=com" + # User Search Filter, user must be a member of the VPN AD group + SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" + # Require Group Membership + RequireGroup false # already handled by SearchFilter + <Group> + BaseDN "OU=Groups,DC=example,DC=com" + SearchFilter "(|(cn=VPN))" + MemberAttribute memberOf + </Group> </Authorization> +If you only wan't to check if the user account is enabled and can authenticate +(against the primary group) the following snipped is sufficient: + +.. code-block:: sh + + <LDAP> + URL ldap://ds0001.gefoekom.de + BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de + Password g7LjfjmlPhhHnvmal75hbfdknms-44 + Timeout 15 + TLSEnable no + FollowReferrals no + </LDAP> + + <Authorization> + BaseDN "OU=GeFoekoM,DC=gefoekom,DC=de" + SearchFilter "sAMAccountName=%u" + RequireGroup false + </Authorization> A complete LDAP auth OpenVPN configuration could look like the following example: |