-
Notifications
You must be signed in to change notification settings - Fork 63
Configuration
pitchum edited this page Apr 16, 2021
·
2 revisions
Configuring the OpenVPN Auth-LDAP Plugin
Copied from auth-ldap.conf.
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
# Uncomment and set to true to support OpenVPN Challenge/Response
#PasswordIsCR false
<Group>
# Default is true. Match full user DN if true, uid only if false.
# RFC2307bis true
# Default is true. Uncomment and set to false if you want to use a Search operation to determine group
# membership instead of Compare. Lower performance, so Compare should generally be used, but Search is
# required in certain LDAP environments.
# UseCompareOperation true
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>