Configure authentication in OpenVPN through Active Directory in CentOS 7
Imagine that we already have OpenVPN configured, and we decided to do two-factor authentication, which includes checking the username, password and user membership in the AD group.
Traditional openvpn-auth-ldap.so does not exist on CentOS 7, so consider using PAM (openvpn-plugin-auth-pam.so).
1. Add a line to the client’s config so that the client asks for a login and password when connecting: 2. Add a line to the server’s config that enables authentication in OpenVPN via PAM: 3. Add the OpenVPN policy to PAM:
3. Install and enable nslcd - this module will receive requests from PAM and contact them with AD.
5. Now edit the parameters in /etc/nslcd.conf to match the example: binddn - path to the account that will connect to AD. The filter checks if the user is disconnected and whether it is a member of the specified group. In general, at this stage of configuration, AD Explorer will help a lot . 6. Run nslcd in console debug mode
and try to connect through OpenVPN. If errors occur, they will be immediately visible. If everything is in order, start the nslcd daemon:
7. Done!
Traditional openvpn-auth-ldap.so does not exist on CentOS 7, so consider using PAM (openvpn-plugin-auth-pam.so).
1. Add a line to the client’s config so that the client asks for a login and password when connecting: 2. Add a line to the server’s config that enables authentication in OpenVPN via PAM: 3. Add the OpenVPN policy to PAM:
auth-user-pass
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
echo'account required pam_ldap.so
auth required pam_ldap.so' >> /etc/pam.d/openvpn
3. Install and enable nslcd - this module will receive requests from PAM and contact them with AD.
yum install nss-pam-ldapd -y
systemctl enable nslcd
5. Now edit the parameters in /etc/nslcd.conf to match the example: binddn - path to the account that will connect to AD. The filter checks if the user is disconnected and whether it is a member of the specified group. In general, at this stage of configuration, AD Explorer will help a lot . 6. Run nslcd in console debug mode
uri ldap://dc1.contoso.com
base dc=contoso,dc=com
binddn CN=ldapquery,OU=ServiceAccounts,OU=DomainUsers,DC=contoso,DC=com
bindpw P@ssw0rd
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer))(memberOf=CN=VPNUsers,OU=Groups,DC=contoso,DC=com))
map passwd uid sAMAccountName
nslcd -d
and try to connect through OpenVPN. If errors occur, they will be immediately visible. If everything is in order, start the nslcd daemon:
systemctl start nslcd
7. Done!