summaryrefslogtreecommitdiff
path: root/docs/vpn/openvpn.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-08-05 14:37:39 +0200
committerChristian Poessinger <christian@poessinger.com>2019-08-06 09:35:07 +0200
commitcdd4d727b11b5361051f1c1ad548e265612dc2ae (patch)
tree7d00f32d2d63dd2c669d180b4a131b00e0ae5d4c /docs/vpn/openvpn.rst
parent1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40 (diff)
downloadvyos-documentation-cdd4d727b11b5361051f1c1ad548e265612dc2ae.tar.gz
vyos-documentation-cdd4d727b11b5361051f1c1ad548e265612dc2ae.zip
OpenVPN: add second Active Directory auth example
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r--docs/vpn/openvpn.rst65
1 files changed, 42 insertions, 23 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 5451c78d..5a269b43 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -270,34 +270,53 @@ Despite the fact that AD is a superset of LDAP
.. code-block:: sh
<LDAP>
- # LDAP server URL
- URL ldap://dc01.example.com
- # Bind DN (If your LDAP server doesn’t support anonymous binds)
- BindDN CN=LDAPUser,DC=example,DC=com
- # Bind Password
- Password mysecretpassword
- # Network timeout (in seconds)
- Timeout 15
- # Enable Start TLS
- TLSEnable no
- # Follow LDAP Referrals (anonymously)
- FollowReferrals no
+ # LDAP server URL
+ URL ldap://dc01.example.com
+ # Bind DN (If your LDAP server doesn’t support anonymous binds)
+ BindDN CN=LDAPUser,DC=example,DC=com
+ # Bind Password
+ Password mysecretpassword
+ # Network timeout (in seconds)
+ Timeout 15
+ # Enable Start TLS
+ TLSEnable no
+ # Follow LDAP Referrals (anonymously)
+ FollowReferrals no
</LDAP>
<Authorization>
- # Base DN
- BaseDN "DC=example,DC=com"
- # User Search Filter, user must be a member of the VPN AD group
- SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
- # Require Group Membership
- RequireGroup false # already handled by SearchFilter
- <Group>
- BaseDN "OU=Groups,DC=example,DC=com"
- SearchFilter "(|(cn=VPN))"
- MemberAttribute memberOf
- </Group>
+ # Base DN
+ BaseDN "DC=example,DC=com"
+ # User Search Filter, user must be a member of the VPN AD group
+ SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
+ # Require Group Membership
+ RequireGroup false # already handled by SearchFilter
+ <Group>
+ BaseDN "OU=Groups,DC=example,DC=com"
+ SearchFilter "(|(cn=VPN))"
+ MemberAttribute memberOf
+ </Group>
</Authorization>
+If you only wan't to check if the user account is enabled and can authenticate
+(against the primary group) the following snipped is sufficient:
+
+.. code-block:: sh
+
+ <LDAP>
+ URL ldap://ds0001.gefoekom.de
+ BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de
+ Password g7LjfjmlPhhHnvmal75hbfdknms-44
+ Timeout 15
+ TLSEnable no
+ FollowReferrals no
+ </LDAP>
+
+ <Authorization>
+ BaseDN "OU=GeFoekoM,DC=gefoekom,DC=de"
+ SearchFilter "sAMAccountName=%u"
+ RequireGroup false
+ </Authorization>
A complete LDAP auth OpenVPN configuration could look like the following example: