我正在尝试让 OpenVPN 通过 LDAP 上的 PAM 将用户验证到 Active Directory 服务器。
以下是我的配置文件的相关部分:
/etc/openvpn/server.conf:
# ...
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so ldap-login
/etc/nslcd.conf:
uri ldap://prod-adc1.mydomain.local
base DC=MyDomain,DC=Local
uid nslcd
gid ldap
/etc/pam.d/ldap 登录:
auth sufficient pam_ldap.so minimum_uid=1000 use_first_pass
auth required pam_deny.so
password sufficient pam_ldap.so minimum_uid=1000 use_first_pass
password required pam_deny.so
当我尝试进行身份验证时,我在日志中看到以下内容:
/var/log/安全:
Dec 4 22:22:42 localhost openvpn[25505]: pam_ldap(ldap-login:auth): failed to get password: Authentication failure
/var/log/消息:
Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS: Initial packet from [AF_INET]1.2.3.4:37503, sid=c2d806cc 5c7c7ace
Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 TLS Auth Error: Auth Username/Password verification failed for peer
Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384
Dec 4 22:38:28 localhost openvpn[25504]: 1.2.3.4:37503 Peer Connection Initiated with [AF_INET]1.2.3.4:37503
Dec 4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 PUSH: Received control message: 'PUSH_REQUEST'
Dec 4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 Delayed exit in 5 seconds
Dec 4 22:38:31 localhost openvpn[25504]: 1.2.3.4:37503 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Dec 4 22:38:36 localhost openvpn[25504]: 1.2.3.4:37503 SIGTERM[soft,delayed-exit] received, client-instance exiting
我是否错误地配置了 PAM?我的登录配置中是否缺少某些内容?
编辑:如果我执行以下操作,我就可以登录:
ldapsearch -h prod-adc1.mydomain.local -b "DC=MyDomain,DC=Local" -x -D "[email protected]" -W
如何将其映射到 PAM LDAP 模块以使 OpenVPN 登录按预期工作?
答案1
看起来您需要使用/etc/nslcd.conf和进行binddn配置bindpw。
看http://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5
希望这可以帮助!
—拜伦
答案2
工作设置示例(授权用户仅有的针对 LDAP 服务器,在示例中我使用的是 OpenLDAP,但此模块也支持 AD - openvpn-auth-ldap.so):
openvpn-服务器.conf:
# Authorization against LDAP
plugin /usr/lib64/openvpn-auth-ldap.so /some/path/auth-ldap.conf
身份验证-ldap.conf:
<LDAP>
# LDAP server URL
URL ldap://server.intranet.eko-inwest.com.pl:389
# Bind DN (If your LDAP server doesn’t support anonymous binds)
# BindDN uid=administrator,ou=users,dc=x,dc=y
# BindDN uid=admin,ou=Users,dc=x,dc=y
# BindDN [email protected]
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# TLS CA Certificate File
# TLSCACertFile /etc/ssl/ca.x.y.crt
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=users,dc=x,dc=y"
# User Search Filter
#SearchFilter "(uid=%u)"
#SearchFilter "(&(uid=%u)(objectclass=posixAccount))"
# For Samba's schema
SearchFilter "(&(uid=%u)(!(sambaAcctFlags=[DUL ])))"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
# PFTable vpn-users
<Group>
# Match full user DN if true, uid only if false
RFC2307bis false
BaseDN "ou=groups,dc=x,dc=y"
SearchFilter "(cn=vpn-users)"
MemberAttribute memberUid
</Group>
</Authorization>