安装opevpn-auth-ldap
yum install openvpn-auth-ldap
编辑配置文件
[root@web1 auth]# cat /etc/openvpn/auth/ldap.conf <LDAP> # LDAP server URL URL ldap://10.1.1.7 # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN cn=cat,dc=test,dc=com # Bind Password Password 1234qwer # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable no # Follow LDAP Referrals (anonymously) FollowReferrals no # TLS CA Certificate File #TLSCACertFile /usr/local/etc/ssl/ca.pem # TLS CA Certificate Directory #TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required #TLSCertFile /usr/local/etc/ssl/client-cert.pem #TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "ou=People,dc=test,dc=com" # User Search Filter SearchFilter "(uid=%u)" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users # <Group> # BaseDN "ou=Groups,dc=example,dc=com" # SearchFilter "(|(cn=developers)(cn=artists))" # MemberAttribute uniqueMember # # Add group members to a PF table (disabled) # #PFTable ips_vpn_eng # </Group> </Authorization>
openvpn服务端配置文件
[root@web1 auth]# cat /opt/openvpn/server.conf local 118.186.61.82 port 1194 proto udp dev tun topology subnet ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh2048.pem tls-auth keys/ta.key 0 server 10.0.8.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.1.1.0 255.255.255.0" keepalive 10 120 comp-lzo persist-key persist-tun cipher AES-256-CBC verb 3 status logs/openvpn-status.log log logs/openvpn.log log-append logs/openvpn.log #plugin /opt/openvpn/openvpn-auth-pam.so openvpn plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf cn=%u" reneg-sec 3600 client-cert-not-required
客户端配置
client dev tun proto udp remote 118.186.61.82 1194 resolv-retry infinite remote-random nobind persist-key persist-tun ca ca.crt ;cert client1.crt ;key client1.key tls-auth ta.key 1 cipher AES-256-CBC ns-cert-type server auth-user-pass auth-nocache remote-cert-tls server comp-lzo reneg-sec 3600