KEMBAR78
Ldap | PDF | Networking Standards | Computer Architecture
Scribd
Upload
130 views2 pages

Ldap

The document describes how to configure the OpenVPN Access Server (OAS) to use LDAP for authentication. It provides details on two command line tools, sacli and confdba, that can be used to modify the OAS configuration database and enable the LDAP authentication module. It also lists and describes the various LDAP-related configuration settings that can be configured in the OAS.

Uploaded by

LuziaGomes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
130 views2 pages

Ldap

The document describes how to configure the OpenVPN Access Server (OAS) to use LDAP for authentication. It provides details on two command line tools, sacli and confdba, that can be used to modify the OAS configuration database and enable the LDAP authentication module. It also lists and describes the various LDAP-related configuration settings that can be configured in the OAS.

Uploaded by

LuziaGomes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

OpenVPN Access Server LDAP notes -------------------------------These notes describe configuration of the OpenVPN Access Server (OAS) LDAP

module using command line tools. OAS stores its configuration parameters in a key/value DB. There are two methods provided for modifying this DB using command line tools: (1) sacli -- this tool does not access the configuration DB directly but rather interacts with the OAS backend daemon API. First cd to /usr/local/openvpn_as/scripts To set KEY to VALUE: ./sacli --key KEY --value VALUE ConfigPut For example to enable LDAP mode: ./sacli --key auth.module.type --value ldap ConfigPut (2) confdba -- this tool directly writes configuration settings to the configuration database. First cd to /usr/local/openvpn_as/scripts To set KEY to VALUE: ./confdba --mod --key KEY --value VALUE For example to enable LDAP mode: ./confdba --mod --key auth.module.type --value ldap At the end of any sequence of changes to the configuration DB, make sure to restart any OAS services affected by the change: ./sacli start OpenVPN Access Server LDAP settings ----------------------------------auth.module.type (string) : must be set to "ldap" to enable the OAS LDAP module auth.ldap.0.server.0.host (string) : primary LDAP server (DNS name or IP address) auth.ldap.0.server.1.host (string, optional) : backup LDAP server auth.ldap.0.bind_dn : distinguished name describing LDAP account that OAS will bind to, normally an Administrator account auth.ldap.0.bind_pw : password for account described by bind_dn auth.ldap.0.name : friendly name for this set of LDAP servers auth.ldap.0.users_base_dn : base DN used for user searches in the LDAP database auth.ldap.0.uname_attr : LDAP attribute that describes username, use

"sAMAccountName" for Active Directory auth.ldap.0.add_req : additional requirements -- LDAP expression that must evaluate as true as a prerequisite for user to be authenticated. For example on Active Directory, the following string would require that users are members of the administrators group. Replace DC=myserver,DC=mycompany,DC=tld with the base DN of your LDAP server. &(memberOf=CN=Administrators,CN=Builtin,DC=myserver,DC=mycompany,DC=tld) (memberOf=CN=Administrators,CN=Builtin,DC=myserver,DC=mycompany,DC=tld) auth.ldap.0.referrals (integer, default=0) : corresponds to OpenLDAP LDAP_OPT_REFERRALS setting -- determines whether OpenLDAP should implicitly chase referrals or not (0: don't follow, 1: follow) auth.ldap.0.timeout (integer, default=5) : corresponds to OpenLDAP LDAP_OPT_TIMEOUT and LDAP_OPT_NETWORK_TIMEOUT settings -controls the number of seconds we will wait for a response from the LDAP server before failing over to the backup LDAP server. auth.ldap.0.use_ssl (string, default="never") : controls whether the OAS connects with the LDAP server via SSL. The option should be one of these three values: 1. never : don't use SSL 2. adaptive : try SSL then fall back to cleartext if no response 3. always : always use SSL auth.ldap.0.ssl_verify (string, default="never") : corresponds to the LDAP_OPT_X_TLS_REQUIRE_CERT OpenLDAP setting. When SSL is used, controls the extent to which we validate the SSL certificate of the LDAP server. The option should be one of these three values: 1. never -- no peer certificate is required 2. allow -- a peer certificate is requested, however the session will not be aborted if the certificate cannot be validated 3. demand -- a valid peer certificate is required, and the session will aborted if one is not provided auth.ldap.0.ssl_ca_cert (filename) : corresponds to the OpenLDAP LDAP_OPT_X_TLS_CACERTFILE setting. Specifies a CA certificate bundle to use for validating the LDAP server certificate. auth.ldap.0.openldap_trace_level (integer, default=0) : corresponds to the OpenLDAP trace level. CAUTION: if this parameter is nonzero, OpenLDAP may output sensitive information (such as passwords) to the log file. auth.ldap.0.debug_level (integer, default=0) : corresponds to the OpenLDAP LDAP_OPT_DEBUG_LEVEL setting. CAUTION: if this parameter is nonzero, OpenLDAP may output sensitive information (such as passwords) to the log file.

You might also like