diff options
author | Christian Poessinger <christian@poessinger.com> | 2019-08-04 17:54:28 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2019-08-04 17:54:28 +0200 |
commit | 1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40 (patch) | |
tree | a1cbcc478831f4faaf7aff60b3e33c95fa31fac6 /docs/vpn | |
parent | 8d3fcd5bbe7d6bad3b7fe9a149e5d11c74680b7e (diff) | |
download | vyos-documentation-1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40.tar.gz vyos-documentation-1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40.zip |
OpenVPN: add Active Directory auth example
Diffstat (limited to 'docs/vpn')
-rw-r--r-- | docs/vpn/openvpn.rst | 41 |
1 files changed, 39 insertions, 2 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 2ae353e8..5451c78d 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -246,7 +246,7 @@ The required config file may look like: # LDAP server URL URL ldap://ldap.example.com # Bind DN (If your LDAP server doesn't support anonymous binds) - BindDN cn=Manager,dc=example,dc=com + BindDN cn=LDAPUser,dc=example,dc=com # Bind Password password Password S3cr3t # Network timeout (in seconds) @@ -258,10 +258,47 @@ The required config file may look like: BaseDN "ou=people,dc=example,dc=com" # User Search Filter SearchFilter "(&(uid=%u)(objectClass=shadowAccount))" - # Require Group Membership + # Require Group Membership - allow all users RequireGroup false </Authorization> +Active Directory +**************** + +Despite the fact that AD is a superset of LDAP + +.. code-block:: sh + + <LDAP> + # LDAP server URL + URL ldap://dc01.example.com + # Bind DN (If your LDAP server doesn’t support anonymous binds) + BindDN CN=LDAPUser,DC=example,DC=com + # Bind Password + Password mysecretpassword + # Network timeout (in seconds) + Timeout 15 + # Enable Start TLS + TLSEnable no + # Follow LDAP Referrals (anonymously) + FollowReferrals no + </LDAP> + + <Authorization> + # Base DN + BaseDN "DC=example,DC=com" + # User Search Filter, user must be a member of the VPN AD group + SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" + # Require Group Membership + RequireGroup false # already handled by SearchFilter + <Group> + BaseDN "OU=Groups,DC=example,DC=com" + SearchFilter "(|(cn=VPN))" + MemberAttribute memberOf + </Group> + </Authorization> + + A complete LDAP auth OpenVPN configuration could look like the following example: .. code-block:: sh |