From http://craig.backfire.ca/pages/computers/openvpn-ad-auth
Using username+password authentication with OpenVPN is desirable for many reasons. It makes controlling access by individuals simple and fine-grained, and saves generating keys for everyone that needs to connect. In this article, I will be showing how to configure OpenVPN to authenticate against a Windows Active Directory server.
The first step is to create an application that will act as an authenticator. Below is such a program, written in Perl of course.
#!/usr/local/bin/perl
use strict;
use Authen::Simple::ActiveDirectory;
my $adserver = '10.102.0.5';
my $principal = 'example.org';
my ($u,$p) = @ENV{qw/USERNAME PASSWORD/};
my $ad = Authen::Simple::ActiveDirectory->new(
host => $adserver,
principal => $principal,
);
exit ( $ad->authenticate($u, $p) ) ? 0 : 128;
Next, OpenVPN must be configured to require username+password authentication, and to talk to the authenticator above. Below is a configuration file which does this.
dev tun # Server and client IP and Pool server 10.200.0.0 255.255.0.0 ifconfig-pool-persist ipp.txt # Certificates for VPN Authentication ca /usr/local/etc/vpn/keys/ca.crt cert /usr/local/etc/vpn/keys/server.crt key /usr/local/etc/vpn/keys/server.key dh /usr/local/etc/vpn/keys/dh1024.pem #client-config-dir ccd route 10.200.1.0 255.255.0.0 push "dhcp-option DNS 10.102.0.5" # Use compression on the VPN link comp-lzo # Make the link more resistant to connection failures keepalive 10 60 ping-timer-rem persist-tun persist-key # Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody group nobody daemon verb 2 duplicate-cn client-cert-not-required auth-user-pass-verify /usr/local/etc/vpn/openvpn-ad-auth.pl via-env
Below is a client-side configuration file.
client dev tun proto udp remote vpnhost.example.org 1194 resolv-retry infinite nobind persist-tun comp-lzo verb 3 ca ca.crt auth-user-pass
That's it! Contact me if there are any problems.
