CentOs 7 + OpenVPN + Ldap
-
- Posts: 6
- Joined: 2019/02/20 10:24:02
CentOs 7 + OpenVPN + Ldap
I Have a problem when I try to do a Autentcation on Windows 10 to VPN, it ask for the user of the AD, but doesnt make a connection...
I configured the /etc/openvpn/server.conf, and the Ldap.conf... But there is a thing that I miss, that I dont know how to make..
In LDAP.conf file there is:
# Enable Start TLS
TLSEnable no #yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
I have to install anything to do this Auth with TLS? How I create the ca.pem, client-cert.pem and client-key.pem ??
I Guess that is the only thing that I miss..
Can someone help me?
I configured the /etc/openvpn/server.conf, and the Ldap.conf... But there is a thing that I miss, that I dont know how to make..
In LDAP.conf file there is:
# Enable Start TLS
TLSEnable no #yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
I have to install anything to do this Auth with TLS? How I create the ca.pem, client-cert.pem and client-key.pem ??
I Guess that is the only thing that I miss..
Can someone help me?
Re: CentOs 7 + OpenVPN + Ldap
My /etc/openvpn/auth/ldap.conf looks quite different:
Which probably means you didn't even get the syntax right?
Code: Select all
<LDAP>
URL ldapi:///var/run/ldapi
BindDN uid=xxx,ou=System-User,dc=localhost
Password xxxxxxxxxxxxxxxxxxxxxx
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "ou=People,dc=localhost"
SearchFilter "(uid=%u)"
RequireGroup true
<Group>
BaseDN "ou=Groups,dc=localhost"
SearchFilter "(cn=xxx)"
MemberAttribute uniqueMember
</Group>
</Authorization>
-
- Posts: 6
- Joined: 2019/02/20 10:24:02
Re: CentOs 7 + OpenVPN + Ldap
You have no TLS Auth??
-
- Posts: 6
- Joined: 2019/02/20 10:24:02
Re: CentOs 7 + OpenVPN + Ldap
This dont work...chemal wrote: ↑2019/02/20 16:40:16My /etc/openvpn/auth/ldap.conf looks quite different:Which probably means you didn't even get the syntax right?Code: Select all
<LDAP> URL ldapi:///var/run/ldapi BindDN uid=xxx,ou=System-User,dc=localhost Password xxxxxxxxxxxxxxxxxxxxxx Timeout 15 TLSEnable no FollowReferrals no </LDAP> <Authorization> BaseDN "ou=People,dc=localhost" SearchFilter "(uid=%u)" RequireGroup true <Group> BaseDN "ou=Groups,dc=localhost" SearchFilter "(cn=xxx)" MemberAttribute uniqueMember </Group> </Authorization>
Can you explain how do you authenticate in AD??
With a file like you have dont work...
Re: CentOs 7 + OpenVPN + Ldap
This is a complete example of a working configuration for openvpn-auth-ldap. Of course, it won't work unmodified for you.
If you need encryption, you better add it after you have it working without encryption.
If you need encryption, you better add it after you have it working without encryption.
-
- Posts: 6
- Joined: 2019/02/20 10:24:02
Re: CentOs 7 + OpenVPN + Ldap
But How to do that??
I create a file like you and dont work...
Can you explain step by step?
Re: CentOs 7 + OpenVPN + Ldap
One possible reason for it not working could be the use of /usr/local/etc to store your SSL certs. This directory is unknown to selinux so the files there will probably have an incorrect label on them and selinux may be denying access to them. Run aureport -a to get a list of the denials and look at the timestamps on the latest ones and see if they correspond with your most recent attempt to make it work. If they do then you can get more detail about each denial by using the number on the right hand end of each line and feeding that into ausearch -a nnnn where nnnn is that number.
Alternatively, it might just be easier to copy (not move) them to a location that does have the correct context assigned to it - you can get a list of those by running semanage fcontext -l | grep cert_t. Personally I'd put them under /etc/pki/tls/certs/
Alternatively, it might just be easier to copy (not move) them to a location that does have the correct context assigned to it - you can get a list of those by running semanage fcontext -l | grep cert_t. Personally I'd put them under /etc/pki/tls/certs/
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 6
- Joined: 2019/02/20 10:24:02
Re: CentOs 7 + OpenVPN + Ldap
I dont know how to create the .pem files...TrevorH wrote: ↑2019/02/22 16:18:55One possible reason for it not working could be the use of /usr/local/etc to store your SSL certs. This directory is unknown to selinux so the files there will probably have an incorrect label on them and selinux may be denying access to them. Run aureport -a to get a list of the denials and look at the timestamps on the latest ones and see if they correspond with your most recent attempt to make it work. If they do then you can get more detail about each denial by using the number on the right hand end of each line and feeding that into ausearch -a nnnn where nnnn is that number.
Alternatively, it might just be easier to copy (not move) them to a location that does have the correct context assigned to it - you can get a list of those by running semanage fcontext -l | grep cert_t. Personally I'd put them under /etc/pki/tls/certs/
Please help!
I only create the server.conf and the ldap.conf..
Please explain me how to do this step by step..
Re: CentOs 7 + OpenVPN + Ldap
You mean you don't have the cert files that your config file points to at the moment?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 6
- Joined: 2019/02/20 10:24:02