Hi,
On Wed, Feb 15, 2017 at 8:20 AM, debbie10t <[email protected]> wrote:
> I do not know of any plugin for this, are there any ?
>
> My guess would be a script/batch file on the vpn server
> which does some auth against windows server or AD.
>
> Any general pointers would be appreciated.
>
Use pam plugin with ldap handled by pam using pam_ldap. This allows all the
flexibility of pam.
In the server config:
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
and here is a simplified pam config to match:
cat /etc/pam.d/openvpn
auth sufficient pam_ldap.so config=/etc/pam_ldap.conf
auth required pam_unix.so try_first_pass
account sufficient pam_ldap.so config=/etc/pam_ldap.conf
account required pam_unix.so
This checks ldap first and falls back to local "unix" user database. If
that is not desired, change "sufficient" to "required" and remove the
pam_unix.so lines. Or could be customized to meet more complex needs.
In /etc/pam_ldap.conf you will need something like (for a domain:
dom.local, binduser: user, bind user pass: secret)
host host_ad1 host_ad2 ..
base cn=Users,dc=dom,dc=local
binddn [email protected]
pam_login_attribute userPrincipalName
# or use binddn cn=User Name,cn=Users,dc=dom,dc=local
# with pam_login_attribute sAMAccountName
bindpw secret
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
