Openldap 部署过程可以看请看我之前的博客,openldap + phpldapadmin + nginx 搭建部署教程(完整版)_rockstics的博客-CSDN博客_ldap服务器搭建nginx
在phpldapadmin web页面创建用户组,不用编写复杂的ldif文件
1.首先创建用户,可以用ldif导入,也可以直接在页面创建, 在OU=people中点击“创建新条目” -->点击“默认” --> ObjectClasses 选择 "inetOrgPerson" ---> “继续”
RDN 选择cn 或者 uid ,然后属性中只需要选择带*的必需属性,其余后期都可以根据需求修改他的ObjectClasses和属性
然后点击创建对象 ----> 提交
2.创建用户组
2.ObjectClasses选择”groupOfUniqueNames“ ,点击“继续”,(之前一直尝试Posix Group 但是一直未能成功接入OpenVPN 用户组 )
RDN 选择cn,点击右边搜索,选择已经创建的用户
创建并提交,刷新并点击查看刚才创建的组
检查已经创建的组
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "ou=Group,dc=rockstics,dc=com" cn=testgroup memberUid
3.OpenVPN配置LDAP
yum install openvpn-auth-ldap -y
echo "client-cert-not-required" >> /etc/openvpn/server.conf
echo 'plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf uid=%u" ' >> /etc/openvpn/server.conf
vim /etc/openvpn/auth/ldap.conf
<LDAP>
# LDAP server URL
URL ldap://192.168.1.119:389
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN cn=admin,dc=rockstics,dc=com
# Bind Password
Password yourpassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable no
# Follow LDAP Referrals (anonymously)
FollowReferrals no
# TLS CA Certificate File
#TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
#TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
#TLSCertFile /usr/local/etc/ssl/client-cert.pem
#TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=rockstics,dc=com"
#BaseDN "ou=Group,dc=rockstics,dc=com"
# User Search Filter
#SearchFilter "(cn=%u)"
#SearchFilter "(&(sAMAccountName=%u)(memberof=CN=opstest,OU=yunwei,OU=Group,DC=rockstics,DC=com)"
SearchFilter "(uid=%u)"
# Require Group Membership
RequireGroup true
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Group,dc=rockstics,dc=com"
SearchFilter "(cn=testgroup)"
MemberAttribute uniqueMember
#MemberAttribute memberUid
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
然后重启
systemctl restart openvpn@server
验证:
openvpn client.opvn ## client.opvn 客户端配置文件