建置使用 LDAP Server 認證的 OpenVPN Server

僅列出與之前不同的地方
1. 安裝  openvpn-auth-ldap 套件
Ubuntu 16.04
# apt-get install openvpn-auth-ldap
CentOS 6.x/7.x
# yum install openvpn-auth-ldap

2. 修改 /etc/openvpn/server.conf
在檔案最後面加入下面的設定
# vim /etc/openvpn/server.conf
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf

# CentOS 7
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

請確認 openvpn-auth-ldap.so 檔的位置[@more@]3. 建立目錄 /etc/openvpn/auth/
# mkdir /etc/openvpn/auth/

4. 建立 /etc/openvpn/auth/auth-ldap.conf 設定檔
# egrep -v ‘^#|^$’ /etc/openvpn/auth/auth-ldap.conf
<LDAP>
        # LDAP server URL
        #URL            ldap://ldap1.example.org
        URL             ldap://192.168.1.20
        # Bind DN (If your LDAP server doesn’t support anonymous binds)
         BindDN         cn=admin,dc=bpim3,dc=test,dc=org
        # Bind Password
        # Password      SecretPassword
         Password       123456
        # Network timeout (in seconds)
        Timeout         15
        # Enable Start TLS
        # Follow LDAP Referrals (anonymously)
        # TLS CA Certificate File
        # TLS CA Certificate Directory
        # Client Certificate and key
        # If TLS client authentication is required
        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite        ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
        # Base DN
        BaseDN          “ou=People,dc=example,dc=com”
        # User Search Filter
        SearchFilter    “(&(uid=%u))”
        # Require Group Membership
        RequireGroup    false
        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users
</Authorization>

5. 檢查 OpenVPN 設定檔是否正確
# openvpn –config /etc/openvpn/server.conf

6. 重新啟動 OpenVPN Server,並檢查是否有正常啟動
# systemctl restart openvpn@server.service;systemctl status openvpn@server.service

7. Client 端設定檔加入
auth-user-pass