CentOs 7 + OpenVPN + Ldap

[choakumchild]

I Have a problem when I try to do a Autentcation on Windows 10 to VPN, it ask for the user of the AD, but doesnt make a connection...

I configured the /etc/openvpn/server.conf, and the Ldap.conf... But there is a thing that I miss, that I dont know how to make..

In LDAP.conf file there is:


# Enable Start TLS
TLSEnable no #yes

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem

I have to install anything to do this Auth with TLS? How I create the ca.pem, client-cert.pem and client-key.pem ??

I Guess that is the only thing that I miss..

Can someone help me?

[chemal]

My /etc/openvpn/auth/ldap.conf looks quite different:

Code: Select all

<LDAP>
        URL             ldapi:///var/run/ldapi
        BindDN          uid=xxx,ou=System-User,dc=localhost
        Password        xxxxxxxxxxxxxxxxxxxxxx
        Timeout         15
        TLSEnable       no
        FollowReferrals no
</LDAP>

<Authorization>
        BaseDN          "ou=People,dc=localhost"
        SearchFilter    "(uid=%u)"
        RequireGroup    true
        <Group>
                BaseDN          "ou=Groups,dc=localhost"
                SearchFilter    "(cn=xxx)"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Which probably means you didn't even get the syntax right?

[choakumchild]

You have no TLS Auth??

[choakumchild]

My /etc/openvpn/auth/ldap.conf looks quite different:

Code: Select all

<LDAP>
        URL             ldapi:///var/run/ldapi
        BindDN          uid=xxx,ou=System-User,dc=localhost
        Password        xxxxxxxxxxxxxxxxxxxxxx
        Timeout         15
        TLSEnable       no
        FollowReferrals no
</LDAP>

<Authorization>
        BaseDN          "ou=People,dc=localhost"
        SearchFilter    "(uid=%u)"
        RequireGroup    true
        <Group>
                BaseDN          "ou=Groups,dc=localhost"
                SearchFilter    "(cn=xxx)"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Which probably means you didn't even get the syntax right?

This dont work...

Can you explain how do you authenticate in AD??
With a file like you have dont work...

[chemal]

This is a complete example of a working configuration for openvpn-auth-ldap. Of course, it won't work unmodified for you.

If you need encryption, you better add it after you have it working without encryption.

[choakumchild]

This is a complete example of a working configuration for openvpn-auth-ldap. Of course, it won't work unmodified for you.

If you need encryption, you better add it after you have it working without encryption.

But How to do that??

I create a file like you and dont work...

Can you explain step by step?

[TrevorH]

One possible reason for it not working could be the use of /usr/local/etc to store your SSL certs. This directory is unknown to selinux so the files there will probably have an incorrect label on them and selinux may be denying access to them. Run aureport -a to get a list of the denials and look at the timestamps on the latest ones and see if they correspond with your most recent attempt to make it work. If they do then you can get more detail about each denial by using the number on the right hand end of each line and feeding that into ausearch -a nnnn where nnnn is that number.

Alternatively, it might just be easier to copy (not move) them to a location that does have the correct context assigned to it - you can get a list of those by running semanage fcontext -l | grep cert_t. Personally I'd put them under /etc/pki/tls/certs/

[choakumchild]

One possible reason for it not working could be the use of /usr/local/etc to store your SSL certs. This directory is unknown to selinux so the files there will probably have an incorrect label on them and selinux may be denying access to them. Run aureport -a to get a list of the denials and look at the timestamps on the latest ones and see if they correspond with your most recent attempt to make it work. If they do then you can get more detail about each denial by using the number on the right hand end of each line and feeding that into ausearch -a nnnn where nnnn is that number.

Alternatively, it might just be easier to copy (not move) them to a location that does have the correct context assigned to it - you can get a list of those by running semanage fcontext -l | grep cert_t. Personally I'd put them under /etc/pki/tls/certs/

I dont know how to create the .pem files...

Please help!

I only create the server.conf and the ldap.conf..

Please explain me how to do this step by step..

[TrevorH]

You mean you don't have the cert files that your config file points to at the moment?

[choakumchild]

You mean you don't have the cert files that your config file points to at the moment?

No I haven't... How can I create this .pem files?? I need to create a local CA??