From cdd4d727b11b5361051f1c1ad548e265612dc2ae Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 5 Aug 2019 14:37:39 +0200
Subject: OpenVPN: add second Active Directory auth example

---
 docs/vpn/openvpn.rst | 65 +++++++++++++++++++++++++++++++++-------------------
 1 file changed, 42 insertions(+), 23 deletions(-)

(limited to 'docs/vpn')

diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 5451c78d..5a269b43 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -270,34 +270,53 @@ Despite the fact that AD is a superset of LDAP
 .. code-block:: sh
 
   <LDAP>
-  # LDAP server URL
-  URL ldap://dc01.example.com
-  # Bind DN (If your LDAP server doesn’t support anonymous binds)
-  BindDN CN=LDAPUser,DC=example,DC=com
-  # Bind Password
-  Password mysecretpassword
-  # Network timeout (in seconds)
-  Timeout  15
-  # Enable Start TLS
-  TLSEnable no
-  # Follow LDAP Referrals (anonymously)
-  FollowReferrals no
+    # LDAP server URL
+    URL ldap://dc01.example.com
+    # Bind DN (If your LDAP server doesn’t support anonymous binds)
+    BindDN CN=LDAPUser,DC=example,DC=com
+    # Bind Password
+    Password mysecretpassword
+    # Network timeout (in seconds)
+    Timeout  15
+    # Enable Start TLS
+    TLSEnable no
+    # Follow LDAP Referrals (anonymously)
+    FollowReferrals no
   </LDAP>
 
   <Authorization>
-  # Base DN
-  BaseDN        "DC=example,DC=com"
-  # User Search Filter, user must be a member of the VPN AD group
-  SearchFilter  "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
-  # Require Group Membership
-  RequireGroup    false # already handled by SearchFilter
-  <Group>
-  BaseDN        "OU=Groups,DC=example,DC=com"
-  SearchFilter  "(|(cn=VPN))"
-  MemberAttribute  memberOf
-  </Group>
+    # Base DN
+    BaseDN        "DC=example,DC=com"
+    # User Search Filter, user must be a member of the VPN AD group
+    SearchFilter  "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
+    # Require Group Membership
+    RequireGroup    false # already handled by SearchFilter
+    <Group>
+      BaseDN        "OU=Groups,DC=example,DC=com"
+      SearchFilter  "(|(cn=VPN))"
+      MemberAttribute  memberOf
+    </Group>
   </Authorization>
 
+If you only wan't to check if the user account is enabled and can authenticate
+(against the primary group) the following snipped is sufficient:
+
+.. code-block:: sh
+
+  <LDAP>
+    URL ldap://ds0001.gefoekom.de
+    BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de
+    Password g7LjfjmlPhhHnvmal75hbfdknms-44
+    Timeout  15
+    TLSEnable no
+    FollowReferrals no
+  </LDAP>
+
+  <Authorization>
+    BaseDN          "OU=GeFoekoM,DC=gefoekom,DC=de"
+    SearchFilter    "sAMAccountName=%u"
+    RequireGroup    false
+  </Authorization>
 
 A complete LDAP auth OpenVPN configuration could look like the following example:
 
-- 
cgit v1.2.3