LDAP on Rickyhttps://linzeyan.github.io/categories/ldap/Recent content in LDAP on RickyHugo -- gohugo.ioenThu, 17 Sep 2020 13:15:33 +0800Deploying OpenVPN with AD domain authenticationhttps://linzeyan.github.io/posts/2020/20200917-5b892a0b2b71775d1ce04eff/Thu, 17 Sep 2020 13:15:33 +0800https://linzeyan.github.io/posts/2020/20200917-5b892a0b2b71775d1ce04eff/<ul> <li><a href="https://www.twblogs.net/a/5b892a0b2b71775d1ce04eff" target="_blank" rel="noopener">Deploying OpenVPN with AD domain authentication</a></li> <li><a href="https://jameschien.no-ip.biz/wordpress/2020/02/19/openvpn-pam-sssd-active-directory/" target="_blank" rel="noopener">OpenVPN + PAM + SSSD + Active Directory</a></li> <li><a href="https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/" target="_blank" rel="noopener">https://computingforgeeks.com/install-and-configure-openvpn-server-on-rhel-centos-8/</a></li> <li><a href="https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8" target="_blank" rel="noopener">https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8</a></li> <li><a href="https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5" target="_blank" rel="noopener">https://medium.com/jerrynotes/linux-authentication-windows-ad-without-join-domain-7963c3fd44c5</a></li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Install OpenVPN</span> </span></span><span style="display:flex;"><span>yum install openvpn -y </span></span><span style="display:flex;"><span>yum -y install openssl openssl-devel -y </span></span><span style="display:flex;"><span>yum -y install lzo lzo-devel -y </span></span><span style="display:flex;"><span>yum install -y libgcrypt libgpg-error libgcrypt-devel </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Install OpenVPN auth plugin</span> </span></span><span style="display:flex;"><span>yum install openvpn-auth-ldap -y </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Install easy-rsa</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Since openvpn 2.3 removed easy-rsa from the package, install it separately.</span> </span></span><span style="display:flex;"><span>yum install easy-rsa </span></span><span style="display:flex;"><span>cp -rf /usr/share/easy-rsa/2.0 /etc/opevpn/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Generate OpenVPN keys and certificates</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Edit `/opt/openvpn/etc/easy-rsa/2.0/vars` parameters</span> </span></span><span style="display:flex;"><span>export KEY_COUNTRY<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;CN&#34;</span> <span style="color:#75715e"># Country</span> </span></span><span style="display:flex;"><span>export KEY_PROVINCE<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;ZJ&#34;</span> <span style="color:#75715e"># Province</span> </span></span><span style="display:flex;"><span>export KEY_CITY<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;NingBo&#34;</span> <span style="color:#75715e"># City</span> </span></span><span style="display:flex;"><span>export KEY_ORG<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;TEST-VPN&#34;</span> <span style="color:#75715e"># Organization</span> </span></span><span style="display:flex;"><span>exportKEY_EMAIL<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;81367070@qq.com&#34;</span> <span style="color:#75715e"># Email</span> </span></span><span style="display:flex;"><span>export KEY_OU<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;baidu&#34;</span> <span style="color:#75715e"># Unit</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>source vars </span></span><span style="display:flex;"><span>./clean-all </span></span><span style="display:flex;"><span>./build-ca </span></span><span style="display:flex;"><span>./build-dh </span></span><span style="display:flex;"><span>./build-key-server server </span></span><span style="display:flex;"><span>./build-key client1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Edit the OpenVPN server config: `/etc/openvpn/server.conf`</span> </span></span><span style="display:flex;"><span>port <span style="color:#ae81ff">1194</span> </span></span><span style="display:flex;"><span>proto udp </span></span><span style="display:flex;"><span>dev tun </span></span><span style="display:flex;"><span>ca keys/ca.crt </span></span><span style="display:flex;"><span>cert keys/server.crt </span></span><span style="display:flex;"><span>key keys/server.key <span style="color:#75715e"># This file should be kept secret</span> </span></span><span style="display:flex;"><span>dh keys/dh2048.pem </span></span><span style="display:flex;"><span>server 10.8.0.0 255.255.255.0 // client IP pool </span></span><span style="display:flex;"><span>push <span style="color:#e6db74">&#34;route 192.168.1.0 255.255.255.0&#34;</span> // push route to clients </span></span><span style="display:flex;"><span>push <span style="color:#e6db74">&#34;redirect-gateway&#34;</span> // change client gateway to route VPN traffic </span></span><span style="display:flex;"><span>ifconfig-pool-persist ipp.txt </span></span><span style="display:flex;"><span>keepalive <span style="color:#ae81ff">10</span> <span style="color:#ae81ff">120</span> </span></span><span style="display:flex;"><span>comp-lzo </span></span><span style="display:flex;"><span>persist-key </span></span><span style="display:flex;"><span>persist-tun </span></span><span style="display:flex;"><span>status openvpn-status.log </span></span><span style="display:flex;"><span>verb <span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span>plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so <span style="color:#e6db74">&#34;/etc/openvpn/auth/ldap.conf&#34;</span> </span></span><span style="display:flex;"><span>client-cert-not-required </span></span><span style="display:flex;"><span>username-as-common-name </span></span><span style="display:flex;"><span>log /var/log/openvpn.log </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Edit openvpn-ldap-auth config: `/etc/openvpn/auth/ldap.conf`</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># /etc/openvpn/auth/ldap.conf</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>&lt;LDAP&gt; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># LDAP server URL</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Change to the AD server IP</span> </span></span><span style="display:flex;"><span> URL ldap://172.16.76.238:389 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Bind DN (If your LDAP server doesn&#39;t support anonymous binds)</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># BindDN uid=Manager,ou=People,dc=example,dc=com</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Change to the domain admin DN; you can query it with ldapsearch</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Replace the IP in -h with the server IP, -D with the admin DN, -b with the base DN, and * for all</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ldapsearch -LLL -x -h 172.16.76.238 -D &#34;administrator@xx.com&#34; -W -b &#34;dc=xx,dc=com&#34; &#34;*&#34;</span> </span></span><span style="display:flex;"><span> BindDN <span style="color:#e6db74">&#34;cn=administrator,cn=Users,dc=xx,dc=com&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Bind Password</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Password SecretPassword</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Domain admin password</span> </span></span><span style="display:flex;"><span> Password passwd </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Network timeout (in seconds)</span> </span></span><span style="display:flex;"><span> Timeout <span style="color:#ae81ff">15</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Enable Start TLS</span> </span></span><span style="display:flex;"><span> TLSEnable no </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Follow LDAP Referrals (anonymously)</span> </span></span><span style="display:flex;"><span> FollowReferrals no </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLS CA Certificate File</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLSCACertFile /usr/local/etc/ssl/ca.pem</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLS CA Certificate Directory</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLSCACertDir /etc/ssl/certs</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Client Certificate and key</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># If TLS client authentication is required</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLSCertFile /usr/local/etc/ssl/client-cert.pem</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLSKeyFile /usr/local/etc/ssl/client-key.pem</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Cipher Suite</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># The defaults are usually fine here</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># TLSCipherSuite ALL:!ADH:@STRENGTH</span> </span></span><span style="display:flex;"><span>&lt;/LDAP&gt; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>&lt;Authorization&gt; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Base DN</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Base DN for auth search</span> </span></span><span style="display:flex;"><span> BaseDN <span style="color:#e6db74">&#34;dc=boqii-inc,dc=com&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># User Search Filter</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># SearchFilter &#34;(&amp;(uid=%u)(accountStatus=active))&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># sAMAccountName=%u uses the sAMAccountName value as the username,</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># and &#34;memberof=CN=myvpn,DC=xx,DC=com&#34; points to the VPN user group to authenticate,</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># so any user can use VPN once they are in this group.</span> </span></span><span style="display:flex;"><span> SearchFilter <span style="color:#e6db74">&#34;(&amp;(sAMAccountName=%u)(memberof=CN=myvpn,DC=boqii-inc,DC=com))&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Require Group Membership</span> </span></span><span style="display:flex;"><span> RequireGroup false </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Add non-group members to a PF table (disabled)</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># PFTable ips_vpn_users</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> &lt;Group&gt; </span></span><span style="display:flex;"><span> <span style="color:#75715e"># BaseDN &#34;ou=Groups,dc=example,dc=com&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># SearchFilter &#34;(|(cn=developers)(cn=artists))&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># MemberAttribute uniqueMember</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Add group members to a PF table (disabled)</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># PFTable ips_vpn_eng</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> BaseDN <span style="color:#e6db74">&#34;ou=vpn,dc=boqii-inc,dc=com&#34;</span> </span></span><span style="display:flex;"><span> SearchFilter <span style="color:#e6db74">&#34;(cn=openvpn)&#34;</span> </span></span><span style="display:flex;"><span> MemberAttribute <span style="color:#e6db74">&#34;member&#34;</span> </span></span><span style="display:flex;"><span> &lt;/Group&gt; </span></span><span style="display:flex;"><span>&lt;/Authorization&gt; </span></span></code></pre></div><p>Copy the <code>ca.crt</code> certificate under <code>/etc/openvpn/key</code> for client use.</p>