summaryrefslogtreecommitdiff
path: root/docs/vpn/openvpn.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-08-04 17:54:28 +0200
committerChristian Poessinger <christian@poessinger.com>2019-08-04 17:54:28 +0200
commit1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40 (patch)
treea1cbcc478831f4faaf7aff60b3e33c95fa31fac6 /docs/vpn/openvpn.rst
parent8d3fcd5bbe7d6bad3b7fe9a149e5d11c74680b7e (diff)
downloadvyos-documentation-1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40.tar.gz
vyos-documentation-1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40.zip
OpenVPN: add Active Directory auth example
Diffstat (limited to 'docs/vpn/openvpn.rst')
-rw-r--r--docs/vpn/openvpn.rst41
1 files changed, 39 insertions, 2 deletions
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 2ae353e8..5451c78d 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -246,7 +246,7 @@ The required config file may look like:
# LDAP server URL
URL ldap://ldap.example.com
# Bind DN (If your LDAP server doesn't support anonymous binds)
- BindDN cn=Manager,dc=example,dc=com
+ BindDN cn=LDAPUser,dc=example,dc=com
# Bind Password password
Password S3cr3t
# Network timeout (in seconds)
@@ -258,10 +258,47 @@ The required config file may look like:
BaseDN "ou=people,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(objectClass=shadowAccount))"
- # Require Group Membership
+ # Require Group Membership - allow all users
RequireGroup false
</Authorization>
+Active Directory
+****************
+
+Despite the fact that AD is a superset of LDAP
+
+.. code-block:: sh
+
+ <LDAP>
+ # LDAP server URL
+ URL ldap://dc01.example.com
+ # Bind DN (If your LDAP server doesn’t support anonymous binds)
+ BindDN CN=LDAPUser,DC=example,DC=com
+ # Bind Password
+ Password mysecretpassword
+ # Network timeout (in seconds)
+ Timeout 15
+ # Enable Start TLS
+ TLSEnable no
+ # Follow LDAP Referrals (anonymously)
+ FollowReferrals no
+ </LDAP>
+
+ <Authorization>
+ # Base DN
+ BaseDN "DC=example,DC=com"
+ # User Search Filter, user must be a member of the VPN AD group
+ SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
+ # Require Group Membership
+ RequireGroup false # already handled by SearchFilter
+ <Group>
+ BaseDN "OU=Groups,DC=example,DC=com"
+ SearchFilter "(|(cn=VPN))"
+ MemberAttribute memberOf
+ </Group>
+ </Authorization>
+
+
A complete LDAP auth OpenVPN configuration could look like the following example:
.. code-block:: sh