How to configure LDAP authentication with openvpn server

This Feature is missing within the GUI, but it is possible to configure manually by editing the settings file:
/var/efw/openvpn/settings


Authentication Stack

With introduction of LDAP authentication, the openvpn authentication procedure is now done as stacked modules. Right now there exist authentication modules for local authentication and for LDAP authentication.
If the user can't be authenticated with the first authentication module, the next module of the stack will be tried until there are no more authentication modules or the user is authenticated.


Openvpn account

When a user should be authenticated through an external authentication module, like LDAP, it is not required to create that user locally as an openvpn account. However if you want to configure openvpn specific options, like the routing information, you need to create that user as an openvpn user as well. In that case configuration of a password is not necessarily required.


Configuration Keys

General about authentication

AUTHENTICATION_STACK defines the stacked authentication modules which should be used.
Example:
AUTHENTICATION_STACK=local,ldap


LDAP authentication module

Keys for access to the LDAP server:

LDAP_URI defines the ldap server to be connected. Format: protocol://host[:port]

Example:
LDAP_URI=ldap://192.168.15.29


If an openvpn server requires authentication and does not allow anonymous binding, you may configure the optional keys LDAP_BIND_DN and LDAP_BIND_PASSWORD:

LDAP_BIND_DN specifies the distinguished name (dn) of the user which can read the required ldap subtree. Normally the super-user.

Example:
LDAP_BIND_DN=cn=Manager,dc=endian,dc=test
LDAP_BIND_PASSWORD=endian


Keys for LDAP Authentication

Next required information is, where actually to find the users:
LDAP_USER_BASEDN specifies the LDAP subtree, where the users are stored.
LDAP_USER_SEARCHFILTER specifies a search filter as defined in RFC4515. All matches to this search filter under the subtree LDAP_USER_BASEDN are considered openvpn users. If an LDAP bind is successfull using one of those dn's and the corresponding password, the user basically is authenticated.
Within openvpn client you need to pass the uid, not the common name. The corresponding common name will be searched within the LDAP tree, by searching the objects matching the searchfilter and having the username as uid.

Example:
LDAP_USER_BASEDN=ou=People,dc=endian,dc=test
LDAP_USER_SEARCHFILTER=(&(uid=%(u)s)(loginShell=/sbin/nologin))


Keys for Authorization

In order to be able to define only a subset of authenticated LDAP users which actually really can use the openvpn server, it is possible to specify an optional filter which authorizes only users which are members of a specified group. If this configuration is omitted, all authenticated users are authorized.

LDAP_REQUIRE_GROUP is a toglle (on/off), which specifies whether authorization checks should be done or not.

If enabled the following Keys need to be specified:
LDAP_GROUP_BASEDN specifies the subtree, where the group definition is stored.

Example:
LDAP_REQUIRE_GROUP=on
LDAP_GROUP_BASEDN=ou=Group,dc=endian,dc=test


LDAP_GROUP_SEARCHFILTER specifies a search filter as defined in RFC4515 whose matches are considered as groups.
LDAP_MEMBERATTRIBUTE specifies a name of the member attribute of the objects found by the searchfilter, whose content is considered as a list of user id's (uid) or common names (cn), which are members of the group. user's which are listed here, are authorized.

Example:
LDAP_GROUP_SEARCHFILTER=(|(cn=openvpn)(cn=wheel)(cn=VPNaccept))
LDAP_GROUP_MEMBERATTRIBUTE=uniqueMember


Configuration Example

AUTHENTICATION_STACK=ldap,local
LDAP_URI=ldap://192.168.15.29
LDAP_BIND_DN=cn=Manager,dc=endian,dc=test
LDAP_BIND_PASSWORD=endian
LDAP_USER_BASEDN=ou=People,dc=endian,dc=test
LDAP_USER_SEARCHFILTER=(&(uid=%(u)s)(loginShell=/sbin/nologin))
LDAP_REQUIRE_GROUP=on
LDAP_GROUP_BASEDN=ou=Group,dc=endian,dc=test
LDAP_GROUP_SEARCHFILTER=(|(cn=openvpn)(cn=wheel)(cn=VPNaccept))
LDAP_GROUP_MEMBERATTRIBUTE=uniqueMember

Authenticates using ldap, if that fails, uses local authentication.
Uses 192.168.15.29 as the ldap server, where it binds using cn=Manager,dc=endian,dc=test and password endian.
Considers all objects openvpn users which are under ou=People,dc=endian,dc=test and have a member attribute uid which matches the openvpn user name and have a member attribute loginShell, which matches /sbin/nologin.
If the user is member of one of the groups defined under the subtree ou=Group,dc=endian,dc=test identified by the common names openvpn, wheel or VPNaccept and having a member attribute uniqueMember, the user is authorized.