~fkooman/vpn-documentation

ref: HEAD vpn-documentation/LDAP.md -rw-r--r-- 9.4 KiB
89d06477François Kooman update TODO 5 days ago

#title: LDAP description: Enable LDAP Authentication category: authentication

This document describes how to configure LDAP. We assume you used the deploy_${DIST}.sh script to deploy the software.

The LDAP integration can be used both for user authentication and for authorization, i.e. who will be considered an administrator and which profiles will be available for a particular user.

For more information about authorization, after getting authentication to work, you can look here for determining admin portal access, and here for determining who can access which profiles.

NOTE: we have an instruction video on how to configure Active Directory via LDAP here

#Introduction

It is a good idea to try with ldapsearch if you are not absolutely sure what to configure. Once ldapsearch works, it becomes easier to configure the LDAP module.

First, install ldapsearch and the PHP module for LDAP:

$ sudo yum install openldap-clients php-ldap  # CentOS/Fedora
$ sudo apt install ldap-utils php-ldap        # Debian

Restart PHP to activate the LDAP module:

$ sudo systemctl restart php-fpm                            # CentOS/Fedora
$ sudo systemctl restart php$(/usr/sbin/phpquery -V)-fpm    # Debian

You need a couple of details first, you can obtain those from your LDAP administrator, you need at least:

  • LDAP host;
  • The attribute to use for user authentication;
  • Whether or not this attribute is part of the user's DN.

#FreeIPA

For simple FreeIPA setups these are sufficient. Here the uid we want to use for users to authenticate is part of the DN:

$ ldapsearch \
    -W \
    -H ldap://ipa.tuxed.example \
    -D "uid=fkooman,cn=users,cn=accounts,dc=tuxed,dc=example" \
    -b "uid=fkooman,cn=users,cn=accounts,dc=tuxed,dc=example"

After providing the user's password, you should see all the LDAP attributes associated with that user account, e.g. memberOf, mail, uid.

#Active Directory

If you are using Active Directory, it is slightly different, replace DOMAIN with the name of your domain and fkooman with a valid user in your AD:

$ ldapsearch \
        -W \
        -H ldap://ad.example.org \
        -D "DOMAIN\fkooman" \
        -b "dc=example,dc=org" \
        "(sAMAccountName=fkooman)"

You can use the old "NetBIOS domain name" as in the example above, or some other options, e.g. userPrincipalName:

$ ldapsearch \
        -W \
        -H ldap://ad.example.org \
        -D "fkooman@example.org" \
        -b "dc=example,dc=org" \
        "(userPrincipalName=fkooman@example.org)"

#Search First

If you want to use an attribute that is NOT part of the DN, you first need to perform a search for the user's DN, based on the attribute + value you want. For example we want the users to login with the uidNumber attribute and my uidNumber happens to be 572600001:

For this we do an anonymous bind to figure out my DN in the LDAP:

$ ldapsearch \
    -LLL \
    -x \
    -H ldap://server.ipa.test \
    -b "cn=users,cn=accounts,dc=ipa,dc=test" \
    "(uidNumber=572600001)" \
    dn

This returns my DN, in this case dn: uid=fkooman,cn=users,cn=accounts,dc=ipa,dc=test which we can now use to bind now to the server to verify the password:

$ ldapsearch \
    -LLL \
    -W \
    -H ldap://server.ipa.test \
    -D "uid=fkooman,cn=users,cn=accounts,dc=ipa,dc=test" \
    -b "uid=fkooman,cn=users,cn=accounts,dc=ipa,dc=test"

If this works, we can use this information as explained below in the configuration examples.

#Configuration

You can configure the portal to use LDAP. This is configured in the file /etc/vpn-user-portal/config.php.

You have to set authMethod first:

'authMethod' => 'FormLdapAuthentication',

Next is configuring the LDAP server in the FormLdapAuthentication section.

NOTE: {{UID}} is a special template variable that is replaced by what the user specifies in the "User Name" box at login in the portal. If you specify DOMAIN\{{UID}} as bindDnTemplate in the configuration, the actual "bind DN" will become DOMAIN\fkooman assuming the user entered fkooman as "User Name" in the portal.

The userIdAttribute is used to normalize the user identity. For LDAP both fkooman and FKOOMAN are the same. By querying the userIdAttribute we take the exact same format as used in the LDAP server.

'FormLdapAuthentication' => [
    // *** FreeIPA ***
    // -H ldap://ipa.tuxed.example
    'ldapUri' => 'ldap://ipa.tuxed.example',
    // -D "uid=fkooman,cn=users,cn=accounts,dc=tuxed,dc=example"
    'bindDnTemplate' => 'uid={{UID}},cn=users,cn=accounts,dc=tuxed,dc=example',
    // (if -b is the same -D we do NOT specify baseDn...)
    // to normalize the entered user ID, specify the attribute you want to
    // use to identify the user in the VPN server
    'userIdAttribute' => 'uid',

    // *** AD (NetBIOS domain name) ***
    // -H ldap://ad.example.org \
    'ldapUri' => 'ldap://ad.example.org',
    // -D "DOMAIN\fkooman" \
    'bindDnTemplate' => 'DOMAIN\{{UID}}',
    // -b "dc=example,dc=org" \
    'baseDn' => 'dc=example,dc=org',
    // "(sAMAccountName=fkooman)"
    'userFilterTemplate' => '(sAMAccountName={{UID}})',
    // to normalize the entered user ID, specify the attribute you want to
    // use to identify the user in the VPN server
    'userIdAttribute' => 'sAMAccountName',

    // *** AD (userPrincipalName) ***
    // -H ldap://ad.example.org \
    'ldapUri' => 'ldap://ad.example.org',
    // -D "fkooman@example.org" \
    'bindDnTemplate' => '{{UID}}',

    // when the user does NOT specify the realm, e.g. only "fkooman", this
    // option will add "@example.org" to the "User Name" as specified on 
    // the login page. If and only if there is no "@" in the provided 
    // "User Name".!
    'addRealm' => 'example.org',
    // -b "dc=example,dc=org" \
    'baseDn' => 'dc=example,dc=org',
    // "(userPrincipalName=fkooman@example.org)"
    'userFilterTemplate' => '(userPrincipalName={{UID}})',
    // to normalize the entered user ID, specify the attribute you want to
    // use to identify the user in the VPN server
    'userIdAttribute' => 'userPrincipalName',
    
    // *** Search First ***
    // -H ldap://server.ipa.test \
    'ldapUri' => 'ldap://server.ipa.test',
    // -b "cn=users,cn=accounts,dc=ipa,dc=test" \
    'baseDn' => 'cn=users,cn=accounts,dc=ipa,dc=test',
    // "(uidNumber=572600001)" \
    'userFilterTemplate' => '(uidNumber={{UID}})',
    // to normalize the entered user ID, specify the attribute you want to
    // use to identify the user in the VPN server
    'userIdAttribute' => 'uidNumber',
    // in vpn-user-portal >= 2.3.8 you can also perform a bind before 
    // searching as not all LDAP servers allow anonymous bind to search the
    // directory. If at all possible, allow anonymous bind on your LDAP 
    // server from the VPN server. NEVER USE THE LDAP ADMIN ACCOUNT HERE!
    //'searchBindDn' => 'cn=Anonymous Search User,dc=example,dc=org',
    //'searchBindPass' => 's3r3t',
],

This should be all to configure your LDAP!

#LDAPS

In order to use LDAPS, you can use the LDAPS scheme in the baseUri configuration option, e.g.:

'ldapUri' => 'ldaps://ldap.example.org',

If you use LDAPS and your LDAP server has a self signed certificate you may need to make the CA certificate available on the VPN machine.

On the IPA server the CA certificate is stored in /etc/ipa/ca.crt. Copy this to the machine running the VPN software. If you don't have direct access to the IPA server you can also use OpenSSL to obtain the CA certificate:

$ openssl s_client -showcerts -connect ipa.example.org:ldaps

You can copy/paste the CA certificate from the certificates shown.

NOTE: make sure you validate this CA out of band! You MUST be sure this is the actual CA!

#CentOS / Fedora

If you use a self signed certificate for your LDAP server perform these steps. If your certificate is signed by a trusted CA you do not need to do this, it will work out of the box.

Put the self signed certificate file in /etc/pki/ca-trust/source/anchors. After this:

$ sudo update-ca-trust

This will add the CA certificate to the system wide database in such a way that it will remain there, even when the ca-certificates package updates.

You MUST restart php-fpm to pick up the changes:

$ sudo systemctl restart php-fpm

#Debian

If you use a self signed certificate for your LDAP server perform these steps. If your certificate is signed by a trusted CA you do not need to do this, it will work out of the box.

Put the self signed certificate file in /usr/local/share/ca-certificates/ipa.example.org.crt. After this:

$ sudo update-ca-certificates

This will add the CA certificate to the system wide database in such a way that it will remain there, even when the ca-certificate package updates.

You MUST restart php-fpm to pick up the changes:

$ sudo systemctl restart php$(/usr/sbin/phpquery -V)-fpm