ldap pam authentication exclusively for openvpn only

I needed to implement ldap authentication and authorsiation for an openvpn setup which until now used a simple password file.

Lots of howto’s tell you to update the standard PAM login service to use ldap, and to have openvpn use that login service for authentication. I expect in most cases you’ll probably just want to have a dedicated vpn server, and not having users logging in on the system wide login. At least, that’s what I needed today to migrate away from that password file based config.

That turned out to be quite easy once you get the pam config right, though I’m still not 100% positive this particular pam config is the most optimal. In the end I just defined a new openvpn pam service by creating /etc/pam.d/openvpn with a very short and simple config.

Here’s the configuration notes which reflect this config update. All users with an ldap account, and member of the remoteaccess group are granted access to openvpn.

--- openvpn_installation_howto.txt 31 Mar 2010 12:37:42 -0000 1.16
+++ openvpn_installation_howto.txt 23 Apr 2010 14:53:23 -0000
@@ -167,6 +167,25 @@
# Server configuration

+## config update to authenticate & authorise through ldap
+aptitude install libpam-ldap
+- edit /etc/pam_ldap.conf
+ uri ldaps://ldap.server
+ base dc=division,dc=corp,dc=be
+ ldap_version 3
+ pam_groupdn cn=remoteaccess,ou=groups,dc=division,dc=corp,dc=be
+ pam_member_attribute memberUid
+ pam_password crypt
+ tls_checkpeer no
+- create /etc/pam.d/openvpn
+ auth required pam_ldap.so
+ account required pam_ldap.so
+- edit server-udp.conf and server-tcp.conf
+ #auth-user-pass-verify /etc/openvpn/fileauth.pl via-file
+ plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

This entry was posted in Archief and tagged , , , , , . Bookmark the permalink.

Comments are closed.