Imagine that we already have a configured OpenVPN, and we decided to do two-factor authentication, which includes checking the login, password and user membership in the AD group.
The traditional openvpn-auth-ldap.so does not exist on CentOS 7, so consider the option using PAM (openvpn-plugin-auth-pam.so).
1. Add a line to the client's config so that the client requests a login and password when connecting:
auth-user-pass
2. Add a line to the server config, which includes authentication in OpenVPN via PAM:
')
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
3. Add the OpenVPN policy to PAM:
echo 'account required pam_ldap.so auth required pam_ldap.so' >> /etc/pam.d/openvpn
3. Install and enable nslcd - this module will receive requests from PAM and address them to AD.
yum install nss-pam-ldapd -y systemctl enable nslcd
5. Now edit the parameters in /etc/nslcd.conf to match the example:
uri ldap://dc1.contoso.com
base dc=contoso,dc=com
binddn CN=ldapquery,OU=ServiceAccounts,OU=DomainUsers,DC=contoso,DC=com
bindpw P@ssw0rd
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer))(memberOf=CN=VPNUsers,OU=Groups,DC=contoso,DC=com))
map passwd uid sAMAccountName
binddn - the path to the account that will connect to AD. The filter checks whether the user is disconnected and is in the specified group. In general,
AD Explorer will be very helpful at this stage of configuration.
6. Run nslcd in console debug mode
nslcd -d
and trying to connect via OpenVPN. If errors occur, they will be immediately visible. If everything is in order, run the nslcd daemon:
systemctl start nslcd
7. Done!