Something is wrong.
Instagram token error.

OpenVPN Access Server + OpenLDAP + memberOf

Posted: October 6th, 2009 | Author: | Filed under: LDAP, VPN | 6 Comments »

I volunteer for an organization called Free Geek, it’s the local chapter here in vancouver and they are such an amazing group of people. Upon seeing the organization I felt compelled to get involved and offer my services as best I could for them. Since I’m a sysadmin by trade I figured that’s what I would do, although I what I did not know was the state of affairs in which their network lay. That is story onto itself however. For this post I’m going to be writing about the OpenVPN Access Server implementation I performed for them.

First, OpenVPN is a great product. Period. They make a secure, easy to configure and deploy, SSL based VPN solution. As long as you know how PKI works you can link multiple sites or users together in just a few minutes. For those of you though who do not want to bother all this command

OpenVPN AS User Portal

OpenVPN AS User Portal

line stuff OpenVPN makes a product called “Access Server.” It’s an easy to install, complete with GUI admin interface VPN implementation. Basically the exact same thing as their open source version, just a HELL of a lot easier to get up and running. Especially for people who are not all familiar with VPN. Shown here in the thumbnail is what the user sees when he or she logs into the web interface of the vpn service. I very simple to read and understand page that asks them which OS they are on and how to configure that OS. Also listed here is the VPN key (client.ovpn) so they can setup their VPN software themselves.

License Key

License Key

To install this wonderful service I first went here, got an account and downloaded the necessary linux package. After installing I went back to the Access Server site and requested a license key. Yes, a license key. Here’s the catch about OpenVPN Access Server. It’s free, for the first two concurrent connections, after that you have to pay per connection. They’re $10 each, which is a HUGE savings over other solutions out there, and they’re sold in packs of five. For my needs though I only require two.

VPN Settings

VPN Settings

After installation, I forwarded ports 443 and 8443 thru my firewall to the VPN server. You can sign into the admin interface using the root credentials of the computer it resides on at https://webaddress/admin. To configure it I did the following, first under Configuration I selected “License” and installed my license keys. Next, I went to “VPN Settings” and told server to route using NAT, client Internet traffic should NOT go thru the VPN, that clients WILL be allowed access to network services on the VPN gateway IP. If you have Mac clients connecting, it’s just easier to select NO to altering your client’s DNS records. If it’s just Linux you could do them same considering push DNS support is just not there for linux either.

LDAP Integration

LDAP Integration

Now it’s time for the fun part, OpenLDAP integration. On the left hand side under Authentication select “LDAP.” Now you don’t have to use LDAP, it’s just that I do cause I like it. If you have a small user base, or if its just for you, use PAM. I don’t care. I don’t judge! (much…) Type in all the normal stuff, LDAP server, base DN, and username attribute. (Either uid, or uniqueMember, or user. Usually uid) This will authorize any valid user in your LDAP directory authorization attempt authentication, but for my purposes this was way too wide open. Free Geek has number of lame-o accounts for guest access that are part of our LDAP schema. So I want to restrict access to only member that are part of the LDAP group “vpn.” This however proved to be more difficult than originally thought.

In OpenLDAP it’s not common for a user entry to list what groups they are part of. In fact, it’s the other way around, you ask the group who its members are. Since OpenVPN want to use a filter on the user’s entry in OpenLDAP this setup was not going to work for me. Enter the memberOf overlay. For those of you who do not know what this does, let me explain. When you add a user to a group the user’s entry does not change, instead the group’s entry changes. So let’s say we add Sally to the group, lusers. If we queried the group lusers we would get an entry like:

memberUid: Sally

But if we queried Sally’s account it would appear the same as before we added her to this group. Therefore we need to modify our OpenLDAP install to allow for a reverse membership.

What I had to do was stop the ”slapd” service on my LDAP server and edit my slapd.conf file and add the following two lines.

overlay memberof

Then I had to create an ldif file with the following contents:

#contents of memberOf.ldif
dn: cn=vpn,ou=Groups,dc=shop,dc=lan
objectclass: groupofnames
cn: vpn
description: Users allowed to connect on VPN
member: uid=jordan,ou=People,dc=shop,dc=lan

And add this to my ldap database slapadd -f memberOf.ldif

After this I fired up the ldap server in debug to check for errors slapd -d 99 -f /etc/ldap/slapd.conf and check to make sure that my group membership of “vpn” was listed in my user entry. ldapsearch -h ldap -x -b "dc=shop,dc=lan" '(uid=jordan)' memberOf and bam! success!

# jordan, People, shop.lan
dn: uid=jordan,ou=People,dc=shop,dc=lan
memberOf: cn=vpn,ou=Groups,dc=shop,dc=lan

So I fired the init.d slapd service back up and went back to the OpenVPN admin interface. For the LDAP filter at the bottom of the window I entered memberof=cn=vpn,ou=Groups,dc=shop,dc=lan I saved and restarted the VPN service and poof. I now have authorization based on group membership!

6 Comments on “OpenVPN Access Server + OpenLDAP + memberOf”

  1. 1 Chris said at 1:41 am on March 29th, 2010:

    Hi Jordan,

    This is just what I’ve been looking for. Thanks for this great info.

    Am having a few problems adding my ldif file.

    I get “memberOf.ldif: line 2: unknown directive outside backend info and database definitions.
    slapadd: bad configuration file!”

    Any ideas why this should be? My LDAP skills are not all that brilliant…

    Not sure if I should be using ldapadd instead?


  2. 2 jordan said at 10:15 am on March 29th, 2010:

    Usually whenever I see a “bad configuration file” error it usually means that I’ve left some white space at the beginning of a line somewhere. Check your conf file for lines starting with whitespace. Let me know what you find.


  3. 3 Chris said at 10:26 am on March 29th, 2010:

    Hi Jordan,

    Thanks for the response.

    That was my original thought as well so I re-edited the ldif file by hand but I’m still getting the same error.

    You mentioned that you already had a groupofnames called vpn set up. Maybe I’m missing that step.


  4. 4 Chris said at 9:22 am on March 30th, 2010:

    Hi Jordan,

    Thought I’d give you an update.

    Have managed to get the LDIF file loaded – my problem was that there was a group already loaded via smbldap-groupadd called “VPN” and this was causing a conflict. Once I removed this group the ldif loaded ok.

    Unfortunately, my Cisco ASA5510 still doesn’t want to play ball. I’ve created an attribute map to the memberOf attribute but it doesn’t seem to read it.

    Ho hum. more debugging ahead I think.


  5. 5 Fast, Stable, Cheap – Pick One» Blog Archive » OpenVPN + OpenLDAP said at 8:49 pm on April 21st, 2010:

    […] Check it out. […]

  6. 6 ein said at 10:01 pm on October 15th, 2014:

Leave a Reply