0

I've googled all over the place but none of the pages I have come across include a step-by-step guide showing how to set this up. I'm not a Linux master (although I'm working hard to increase my knowledge of it), and I need to be walked through how to set this up.

I'm aware of things like openldap and what not, but I still need to see each step I need to complete during the entire process which I haven't been able to find.

If anybody can help out I'd greatly appreciate it.

Thanks!

Edit: Sorry, it is OpenBSD 4.3

andol
  • 6,938
  • 29
  • 43
user49032
  • 195
  • 1
  • 4
  • 12

2 Answers2

1

Below are my notes for authing OpenVPN off of AD via a RADIUS server. All of the instructions are based on Red Hat. It's been a while since I've done this but from what I remember you do this:

  1. Add PAM files

    • cd /location/of/openvpn-x.x._rcx/plugin/auth-pam
    • make
    • sudo cp openvpn-auth-pam.so /etc/openvpn/
    • sudo cp openvpn-auth-pam.so /lib/security
    • Download the pam_radius_auth pam module (will have to edit the .spec file to point to what raddb folder/file and then compile it)
    • cp the new pam_radius_auth module to /lib/security/

  2. vi /etc/raddb/server

    • radius_server1_ip radius_server1_secret
    • radius_server2_ip radius_server2_secret (if you want redundant servers)
    • Configure what groups you want to be able to access it via AD and the RADIUS setup

  3. vi /etc/pam.d/openvpn-auth

    • auth required /lib/security/pam_radius_auth.so debug
    • account sufficient /lib/security/pam_permit.so
    • session sufficient /lib/security/pam_permit.so

  4. Install the PAM modules

    • vi server.conf
    • plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn-auth

Things may have changed a little bit since I've done it but this should at least get you going in the right direction.

  • When did OpenBSD start using PAM? – andol Jul 22 '10 at 14:06
  • Here's direction for the same thing on FreeBSD (not quite the same as OpenBSD, but close): http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/ – Chris S Jul 22 '10 at 15:29
0

Sounds like you plan to authenticate based on username and password?

The last time I had to setup something similar I used the auth-user-pass-verify option. It tells OpenVPN to pass along the incoming username and password to a custom script, to then grant or deny access based on the return code from the script.

This is a pretty convenient solution, as you generally can expect your scripting language of choice to have a good set of modules for various kinds of authentication. It is also a very flexible solution in defining the authentication criterias.

Assuming that the Windows domain is an Active Directory perhaps you might want to base your script on a simplified Kerberos auth module? After all, the only response you need is a true or a false.

In any case the auth-user-pass-verify option is pretty well documentated in the openvpn(8) man page.

andol
  • 6,938
  • 29
  • 43