From 1c7898bc204e9cd7e9e4dc4d9e0a4e8c42eeac40 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Aug 2019 17:54:28 +0200 Subject: OpenVPN: add Active Directory auth example --- docs/vpn/openvpn.rst | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) (limited to 'docs/vpn') diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 2ae353e8..5451c78d 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -246,7 +246,7 @@ The required config file may look like: # LDAP server URL URL ldap://ldap.example.com # Bind DN (If your LDAP server doesn't support anonymous binds) - BindDN cn=Manager,dc=example,dc=com + BindDN cn=LDAPUser,dc=example,dc=com # Bind Password password Password S3cr3t # Network timeout (in seconds) @@ -258,10 +258,47 @@ The required config file may look like: BaseDN "ou=people,dc=example,dc=com" # User Search Filter SearchFilter "(&(uid=%u)(objectClass=shadowAccount))" - # Require Group Membership + # Require Group Membership - allow all users RequireGroup false +Active Directory +**************** + +Despite the fact that AD is a superset of LDAP + +.. code-block:: sh + + + # LDAP server URL + URL ldap://dc01.example.com + # Bind DN (If your LDAP server doesn’t support anonymous binds) + BindDN CN=LDAPUser,DC=example,DC=com + # Bind Password + Password mysecretpassword + # Network timeout (in seconds) + Timeout 15 + # Enable Start TLS + TLSEnable no + # Follow LDAP Referrals (anonymously) + FollowReferrals no + + + + # Base DN + BaseDN "DC=example,DC=com" + # User Search Filter, user must be a member of the VPN AD group + SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" + # Require Group Membership + RequireGroup false # already handled by SearchFilter + + BaseDN "OU=Groups,DC=example,DC=com" + SearchFilter "(|(cn=VPN))" + MemberAttribute memberOf + + + + A complete LDAP auth OpenVPN configuration could look like the following example: .. code-block:: sh -- cgit v1.2.3