OpenVPN Access Server + OpenLDAP + memberOf

Posted: October 6th, 2009 | Author: | Filed under: LDAP, VPN | 6 Comments »

I volunteer for an organization called Free Geek, it’s the local chapter here in vancouver and they are such an amazing group of people. Upon seeing the organization I felt compelled to get involved and offer my services as best I could for them. Since I’m a sysadmin by trade I figured that’s what I would do, although I what I did not know was the state of affairs in which their network lay. That is story onto itself however. For this post I’m going to be writing about the OpenVPN Access Server implementation I performed for them.

First, OpenVPN is a great product. Period. They make a secure, easy to configure and deploy, SSL based VPN solution. As long as you know how PKI works you can link multiple sites or users together in just a few minutes. For those of you though who do not want to bother all this command

OpenVPN AS User Portal

OpenVPN AS User Portal

line stuff OpenVPN makes a product called “Access Server.” It’s an easy to install, complete with GUI admin interface VPN implementation. Basically the exact same thing as their open source version, just a HELL of a lot easier to get up and running. Especially for people who are not all familiar with VPN. Shown here in the thumbnail is what the user sees when he or she logs into the web interface of the vpn service. I very simple to read and understand page that asks them which OS they are on and how to configure that OS. Also listed here is the VPN key (client.ovpn) so they can setup their VPN software themselves.

License Key

License Key

To install this wonderful service I first went here, got an account and downloaded the necessary linux package. After installing I went back to the Access Server site and requested a license key. Yes, a license key. Here’s the catch about OpenVPN Access Server. It’s free, for the first two concurrent connections, after that you have to pay per connection. They’re $10 each, which is a HUGE savings over other solutions out there, and they’re sold in packs of five. For my needs though I only require two.

VPN Settings

VPN Settings

After installation, I forwarded ports 443 and 8443 thru my firewall to the VPN server. You can sign into the admin interface using the root credentials of the computer it resides on at https://webaddress/admin. To configure it I did the following, first under Configuration I selected “License” and installed my license keys. Next, I went to “VPN Settings” and told server to route using NAT, client Internet traffic should NOT go thru the VPN, that clients WILL be allowed access to network services on the VPN gateway IP. If you have Mac clients connecting, it’s just easier to select NO to altering your client’s DNS records. If it’s just Linux you could do them same considering push DNS support is just not there for linux either.

LDAP Integration

LDAP Integration

Now it’s time for the fun part, OpenLDAP integration. On the left hand side under Authentication select “LDAP.” Now you don’t have to use LDAP, it’s just that I do cause I like it. If you have a small user base, or if its just for you, use PAM. I don’t care. I don’t judge! (much…) Type in all the normal stuff, LDAP server, base DN, and username attribute. (Either uid, or uniqueMember, or user. Usually uid) This will authorize any valid user in your LDAP directory authorization attempt authentication, but for my purposes this was way too wide open. Free Geek has number of lame-o accounts for guest access that are part of our LDAP schema. So I want to restrict access to only member that are part of the LDAP group “vpn.” This however proved to be more difficult than originally thought.

In OpenLDAP it’s not common for a user entry to list what groups they are part of. In fact, it’s the other way around, you ask the group who its members are. Since OpenVPN want to use a filter on the user’s entry in OpenLDAP this setup was not going to work for me. Enter the memberOf overlay. For those of you who do not know what this does, let me explain. When you add a user to a group the user’s entry does not change, instead the group’s entry changes. So let’s say we add Sally to the group, lusers. If we queried the group lusers we would get an entry like:

memberUid: Sally

But if we queried Sally’s account it would appear the same as before we added her to this group. Therefore we need to modify our OpenLDAP install to allow for a reverse membership.

What I had to do was stop the ”slapd” service on my LDAP server and edit my slapd.conf file and add the following two lines.

overlay memberof

Then I had to create an ldif file with the following contents:

#contents of memberOf.ldif
dn: cn=vpn,ou=Groups,dc=shop,dc=lan
objectclass: groupofnames
cn: vpn
description: Users allowed to connect on VPN
member: uid=jordan,ou=People,dc=shop,dc=lan

And add this to my ldap database slapadd -f memberOf.ldif

After this I fired up the ldap server in debug to check for errors slapd -d 99 -f /etc/ldap/slapd.conf and check to make sure that my group membership of “vpn” was listed in my user entry. ldapsearch -h ldap -x -b "dc=shop,dc=lan" '(uid=jordan)' memberOf and bam! success!

# jordan, People, shop.lan
dn: uid=jordan,ou=People,dc=shop,dc=lan
memberOf: cn=vpn,ou=Groups,dc=shop,dc=lan

So I fired the init.d slapd service back up and went back to the OpenVPN admin interface. For the LDAP filter at the bottom of the window I entered memberof=cn=vpn,ou=Groups,dc=shop,dc=lan I saved and restarted the VPN service and poof. I now have authorization based on group membership!

Using Mac OS X Server RADIUS for Cisco AAA

Posted: October 4th, 2009 | Author: | Filed under: Mac OS X Server | 2 Comments »

Has this ever happened to you? You’re sitting there, minding your own business when then man comes down on you and says; “we need a VPN solution that ties into our directory system, and don’t even think about giving me anything less than proprietary!” Damn! I hate it when that happens. So I’m looking around and think, I know Cisco’s a big PITA proprietary company, I’ll use one of their solutions.

The hardware’s installed, everything in the test accounts is working, now all that’s left to do is tie it into the directory service. Uh oh… it appears as though Apple has made their RADIUS implementation as useless as an ice cube in hell. Fear not, for we can finish what Apple has done half-assed. We’re going to extend the built-in RADIUS service so that it can do OD user based authentication and plug right into Cisco’s AAA.

First, you need to know that if you do not have a standard SSL certificate assigned to your mac yet as a default or if you’ve disabled the built-in one you’ll need to disable a module. Navigate to /etc/raddb/ and open the file labelled radiusd.conf Comment out all lines beginning with eap

Next, open users and change

DEFAULT Auth-Type = System
Fall-Through = 1

To look like:

DEFAULT Auth-Type = opendirectory
Fall-Through = 1

Save and exit and then fire up radiusd on the command line in debug mode so you can see if any errors arise.

radiusd -X

If you get something like:

Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.

Then you’re good to go! Note that your ports my be different than the ones listed here. You can change the ports radius listens on in /etc/services

Now open clients.conf and enter your configuration details for the device you’re setting up. (IP,name,sharedsecret) SSH into your Cisco box and enter the following:

conf t
(configure the terminal)
radius-server host auth-port 1645 acct-port 1646
(make sure you use the right port numbers here)
radius-server key
aaa new-model
aaa authentication login vpn group radius

You need to understand at this point that the above code is only for vpn logins, and that you’ll need to understand how aaa works in order to plug this into your particular setup. For example to plug this authentication into your crypto module and the
was vpn you could use:

crypto map VPN client authentication list vpn
crypto map VPN isakmp authorization list vpn

Or if you wanted to use RADIUS for SSH access to your Cisco box you could use a
of default such as:

aaa authentication login default group radius local

This will allow AAA to check the RADIUS server, but fall back to local auth if RADIUS does not respond.

Finally we’re going to test all of this by using the test command. So get out of conf t by typing exit and try the following:

test aaa group radius username password legacy

If it returns “User was successfully authenticated.” You’re in business.

Happy hunting.

Extending OpenLDAP in Mac OS X Server

Posted: October 1st, 2009 | Author: | Filed under: LDAP, Mac OS X Server | 1 Comment »

So you have an Open Directory server and you want to extend the LDAP schema? Interesting, well as you probably have already noticed, if you go about it the wrong way your LDAP schema will not replicate to your Open Directory Replicas. The proper way to extend or add additional schemas is as follows:

First, you need to have your *.schema that you want to install. Place it into /etc/openldap/schemas/ and add the schema to /etc/openldap/slapd.conf

Second, you’ll need to shutdown ldap and launch it manually to generate the appropriate ldif files.

  1. launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
  2. /usr/libexec/slapd -d 99 -f /etc/openldap/slapd.conf -F /etc/openldap/slad.d

Ensure the message output on your screen indicates that the service fired up correctly and then ctrl-C out of it.

Next, you want to go into the slapd.d\cn=config\cn=schema folder and find the file that says cn={X}schemaname.ldif. Edit it and strip off all the lines that start with:

  1. dn
  2. cn
  3. objectClass
  4. entryUUID
  5. creatorsName
  6. createTimestamp
  7. entryCSN
  8. modifiersName
  9. modifyTimestamp

Take the remainder of the file and cat it onto the customSchema.ldif file.

  1. cat cn\=\{8\}myschema.ldif >> cn\=\{9\}customSchema.ldif

Be careful with this step though, watch spacing, line breaks, and formatting. Here’s an example to see if yours looks right.

olcAttributeTypes: {0}(
NAME 'ec2HomeDirectory'
DESC 'home directory path'
EQUALITY caseExactMatch
olcObjectClasses: {0}( NAME 'Amazon Account'
DESC 'Honk if you like clouds'
SUP top AUXILIARY MAY ( ec2HomeDirectory ) )

Edit /etc/openldap/slapd.conf and remove the schema file we added in the beginning and erase the associate ldif file from the slapd.d\cn=config\cn=schema folder. Use the same launchctl command as above to start your service back up and it should all be good to go!

  1. launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist