반응형
Plugin 설치
yum install openvpn-auth-ldap
Server Config
> vim /etc/openvpn/server.conf
...
## 기본적으로 openvpn인증을 pam 인증 하기 위한 모듈 위치 지정
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
# ldap plugin 설정
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/ad.conf
client-cert-not-required
username-as-common-name
auth-nocache
AD 연동을 위한 ldap 설정
- URL ldap://<ad server ip>:389 : ldap서버나 ad 서버의 ip를 입력
- BindDN "<ad account>@<ad domain>" : AD서버의 admin 계정 입력
- Password "<ad account password>" : AD서버의 admin 계정 패스워드 입력
- SearchFilter "(|(cn=<OU name>))" : 인증에 사용할 OU 입력
<LDAP>
# LDAP server URL
URL ldap://<ad server ip>:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN "administrator@test.com"
BindDN "<ad account>@<ad domain>"
# Bind Password
# BindDN 계정의 패스워드
Password "<ad account password>"
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
# TLS 사용 안함
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals no
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
# Base DN
BaseDN "DC=test,DC=com"
# User Search Filter
#SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "(&(sAMAccountName=%u))"
# Require Group Membership
RequireGroup true
<Group>
BaseDN "DC=test,DC=com"
SearchFilter "(|(cn=<OU name>))"
#SearchFilter "(|(cn=SE))"
MemberAttribute "member"
</Group>
</Authorization>
Client .OVPN
client
remote <openvpn server ip or domain>
proto tcp
dev tun
port <openvpn bind port>
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
tls-client
key-direction 1
auth SHA512
cipher AES-256-CBC
comp-lzo
ns-cert-type server
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
client-cert-not-required
auth-user-pass
로그 확인
...
# open-auth-ldap pluging call.
<client ip>:<client port> PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
# 인증 성공
<client ip>:<client port> TLS: Username/Password authentication succeeded for username 'client1' [CN SET]
<client ip>:<client port> Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
...
반응형
'시스템 > OpenVPN' 카테고리의 다른 글
| [OpenVPN] management를 이용한 사용자 접속해제 하기 (0) | 2022.08.11 |
|---|---|
| [OpenVPN] openvpn-monitor 설치하기(docker) (0) | 2022.08.11 |
| [OpenVPN] PAM인증을 통한 Client ID/PASSWORD 방식 접속 (2) | 2022.05.12 |
| [OpenVPN] Client Key 파기 + Key 관리 (0) | 2022.05.12 |
| [OpenVPN] Server 구축 및 Client.ovpn 생성(인증서 기반) (2) (0) | 2022.05.12 |
