openvpn: better management of the native ldap authentication plugin.

This commit is contained in:
Andrea Dell'Amico 2019-08-07 18:43:35 +02:00
parent b2b1270b85
commit a089bc612a
5 changed files with 18 additions and 17 deletions

View File

@ -73,7 +73,7 @@ openvpn_mute_after: 20
openvpn_ldap_uri: 'ldap:'
openvpn_ldap_host: ldap.example.org
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
openvpn_ldap_nonanon_bind: False
openvpn_ldap_anon_bind: True
openvpn_ldap_binddn: uid=admin
openvpn_ldap_bindpwd: test
openvpn_ldap_ca: '{{ openvpn_ca }}'

View File

@ -1,6 +1,7 @@
---
# OpenVPN does not support a service reload
- name: Reload OpenVPN
service: name=openvpn state=reloaded
service: name=openvpn state=restarted
when: openvpn_enabled
- name: Restart OpenVPN
@ -9,4 +10,4 @@
- name: Reload systemd
systemd: daemon_reload=yes
when: ansible_service_mgr == 'systemd'
when: ansible_service_mgr == 'systemd'

View File

@ -22,14 +22,6 @@
tags: [ 'openvpn', 'openvpn_radius' ]
- block:
- name: apt key for the internal ppa repository. Needed by the openvpn ldap auth with posix groups
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
when: not openvpn_ldap_without_posix_groups
- name: Setup the internal apt repository
apt_repository: repo='deb http://ppa.research-infrastructures.eu/system trusty main' update_cache=yes
when: not openvpn_ldap_without_posix_groups
- name: Install the OpenVPN ldap auth plugin package
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
@ -121,10 +113,12 @@
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Relax the ta.key file permissions so that it can be copied around
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Get the ta key from the master host
synchronize:
@ -140,6 +134,7 @@
- name: Fix the ta.key file permissions on the master host
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
when:
- openvpn_ha

View File

@ -2,11 +2,11 @@
# LDAP server URL
URL {{ openvpn_ldap_url }}
{% if openvpn_ldap_nonanon_bind %}
{% if not openvpn_ldap_anon_bind %}
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN {{ openvpn_ldap_binddn }}
BindDN "{{ openvpn_ldap_binddn }}"
# Bind Password
Password {{ openvpn_ldap_bindpwd }}
Password "{{ openvpn_ldap_bindpwd }}"
{% endif %}
# Network timeout (in seconds)
@ -15,10 +15,16 @@
{% if openvpn_ldap_starttls %}
# Enable Start TLS
TLSEnable yes
{% else %}
TLSEnable no
{% endif %}
{% if not openvpn_ldap_anon_bind %}
# Follow LDAP Referrals (anonymously)
FollowReferrals no
{% else %}
FollowReferrals yes
{% endif %}
# TLS CA Certificate File
TLSCACertFile {{ openvpn_ldap_ca }}
@ -37,7 +43,7 @@
# Cipher Suite
# The defaults are usually fine here
TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
#TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
</LDAP>
<Authorization>
@ -45,7 +51,6 @@
BaseDN "{{ openvpn_ldap_base_dn }}"
# User Search Filter
# SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "{{ openvpn_ldap_user_search }}"
# Require Group Membership

View File

@ -103,7 +103,7 @@ plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
script-security 3 execve
#script-security 3 execve
{% endif %}
max-clients {{ openvpn_max_clients }}