Configuring Authentication in OpenVPN via Active Directory on CentOS 7

Imagine that we already have a configured OpenVPN, and we decided to do two-factor authentication, which includes checking the login, password and user membership in the AD group.

The traditional openvpn-auth-ldap.so does not exist on CentOS 7, so consider the option using PAM (openvpn-plugin-auth-pam.so).

1. Add a line to the client's config so that the client requests a login and password when connecting:

auth-user-pass

2. Add a line to the server config, which includes authentication in OpenVPN via PAM:
')
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

3. Add the OpenVPN policy to PAM:

 echo 'account required pam_ldap.so auth required pam_ldap.so' >> /etc/pam.d/openvpn 

3. Install and enable nslcd - this module will receive requests from PAM and address them to AD.

 yum install nss-pam-ldapd -y systemctl enable nslcd 

5. Now edit the parameters in /etc/nslcd.conf to match the example:

uri ldap://dc1.contoso.com
base dc=contoso,dc=com
binddn CN=ldapquery,OU=ServiceAccounts,OU=DomainUsers,DC=contoso,DC=com
bindpw P@ssw0rd

pagesize 1000
referrals off

filter passwd (&(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer))(memberOf=CN=VPNUsers,OU=Groups,DC=contoso,DC=com))

map passwd uid sAMAccountName

binddn - the path to the account that will connect to AD. The filter checks whether the user is disconnected and is in the specified group. In general, AD Explorer will be very helpful at this stage of configuration.

6. Run nslcd in console debug mode

 nslcd -d 

and trying to connect via OpenVPN. If errors occur, they will be immediately visible. If everything is in order, run the nslcd daemon:

 systemctl start nslcd 

7. Done!