OpenLDAP integration with OpenVPN

deibertine · 09-15-2009, 11:30 PM

I'm planning to install openLDAP in our network so to have a single sign on feature for all our internal apps.

I do however have openvpn already setup in the network.

Is it possible to integrate openVPN with openLDAP?

If so, how can this be done?

Will openLDAP allow me to auto-populate my user credens. coming from openVPN's records?

Any help is much appreciated.

Cheers!
DB

Meson · 09-16-2009, 11:16 AM

Well, there is this: http://code.google.com/p/openvpn-auth-ldap/

I'm not exactly sure how OpenVPN works, but if you can use PAM for authentication/authorization, then you can use OpenLDAP.

deibertine · 09-21-2009, 04:34 PM

Quote:

Originally Posted by Meson

Well, there is this: http://code.google.com/p/openvpn-auth-ldap/

I'm not exactly sure how OpenVPN works, but if you can use PAM for authentication/authorization, then you can use OpenLDAP.

Before I go further, I need to know on how to populate or create my database with my users' credentials in order to test see if authentication works?

I have followed the docs posted in openLDAP but seems no clue on how can I create users within LDAP and test see if it works...

I was hoping to populate this by copying whatever's in my openVPN but if I needed to do from scratch, then that's fine as well.

Please advise.

Meson · 09-21-2009, 07:13 PM

Quote:

Originally Posted by deibertine

I have followed the docs posted in openLDAP but seems no clue on how can I create users within LDAP and test see if it works...

Have you used OpenLDAP before? It's extremely flexible. You can pretty much do whatever you want to "create" a user. That being said, there are certain objectclasses which are helpful. I think posixAccount and the userPassword attribute might be nice =). Make sure you choose a secure hashing method for the password, http://www.openldap.org/doc/admin24/...word%20Storage see SSHA.

deibertine · 09-22-2009, 12:38 AM

Quote:

Originally Posted by Meson

Have you used OpenLDAP before? It's extremely flexible. You can pretty much do whatever you want to "create" a user. That being said, there are certain objectclasses which are helpful. I think posixAccount and the userPassword attribute might be nice =). Make sure you choose a secure hashing method for the password, http://www.openldap.org/doc/admin24/...word%20Storage see SSHA.

No this would be the first time configuring/implementing openLDAP for me. :-(

So on the openLDAP server I can pretty much add my ldap users by using the basic "useradd" command?
i.e. ldapserver# useradd ldapuser1

How do I tell to use openLDAP so the user "ldapuser1" can authenticate throughout our network servers/services?

I've read the documentation and got me confused since it doesnt really explain on how it works in a user prospective (logging in, authenticate, etc)...I know in Windows domain it authenticates as part of an AD structure but how does it work with openLDAP?

DB

chrism01 · 09-22-2009, 01:33 AM

This is a really good howto on OpenLDAP http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

Another article http://www.linuxtopia.org/online_boo...monsutils.html

Both those 'books' also cover VPNs.
HTH

Meson · 09-22-2009, 02:29 AM

Quote:

Originally Posted by deibertine

i.e. ldapserver# useradd ldapuser1

That is a whole 'nother can of worms. I think you want native LDAP users, not system users.

deibertine · 09-22-2009, 12:51 PM

Quote:

Originally Posted by Meson

That is a whole 'nother can of worms. I think you want native LDAP users, not system users.

Ok so how do I populate users and be recognized in my openLDAP?

Please advise.

Thanks!

Meson · 09-22-2009, 03:11 PM

I'm sorry I don't remember all of the schema off the top of my head. I haven't played around with ldap in a while and I don't currently have running ldap server to toy with. I can suggest Apache Directory Studio though. It's a GUI and will connect to an OpenLDAP server. I found it to be a lot of help when I was first learning. Also, the guys in #openldap (and #ldap) on freenode are very helpful.

You can create a users dn in your tree and start by seeing how your root/admin account is setup.

deibertine · 09-22-2009, 10:47 PM

Quote:

Originally Posted by chrism01

This is a really good howto on OpenLDAP http://www.linuxhomenetworking.com/w...DAP_and_RADIUS

Another article http://www.linuxtopia.org/online_boo...monsutils.html

Both those 'books' also cover VPNs.
HTH

Thanks for the post/links.
I followed the instructions and used the migrating tools avail.

However got this script errors after running this command: /usr/share/openldap/migration/migrate_all_offline.sh

Creating naming context entries...
Migrating aliases...
Migrating groups...
Migrating hosts...
Migrating networks...
Migrating users...
Migrating protocols...
Migrating rpcs...
Migrating services...
Migrating netgroups...
Importing into LDAP...
Migrating netgroups (by user)...
Migrating netgroups (by host)...
Preparing LDAP database...
/etc/ldap/slapd.conf: line 107: rootdn is always granted unlimited privileges.
/etc/ldap/slapd.conf: line 124: rootdn is always granted unlimited privileges.
hdb_db_open: database "dc=nodomain": unclean shutdown detected; attempting recovery.
bdb(dc=nodomain): Ignoring log file: /var/lib/ldap/log.0000000001: unsupported log version 14
bdb(dc=nodomain): Invalid log file: log.0000000001: Invalid argument
bdb(dc=nodomain): PANIC: Invalid argument
bdb(dc=nodomain): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
hdb_db_open: database "dc=nodomain" cannot be recovered, err -30978. Restore from backup!
bdb(dc=nodomain): txn_checkpoint interface requires an environment configured for the transaction subsystem
bdb_db_close: database "dc=nodomain": txn_checkpoint failed: Invalid argument (22).
backend_startup_one: bi_db_open failed! (-30978)
slap_startup failed
Migration failed: saving failed LDIF to /tmp/nis.7022.ldif