library/roles/openvpn: Support to two different kinds of ldap authentication: Via the openvpn-ldap-auth module (no posix groups support, and it crashes on ubuntu 14.04), and via an external perl script.

openvpn/defaults/main.yml

@@ -5,14 +5,24 @@ openvpn_pkg_state: latest
 openvpn_pkgs:
   - openvpn
 
+# Authentication choices
+openvpn_cert_auth_enabled: True
+openvpn_username_pam_auth: False
+
 openvpn_radius_auth: False
 openvpn_radius_pkg:
   - openvpn-auth-radius
 
+# With openvpn-auth-ldap. Broken on Ubuntu trusty  
 openvpn_ldap_auth: False
 openvpn_ldap_pkg:
   - openvpn-auth-ldap
 
+openvpn_ldap_perl_auth: False
+openvpn_perl_pkg:
+  - libnet-ldap-perl
+
+# Server con parameters
 openvpn_conf_dir: /etc/openvpn
 openvpn_conf_name: openvpn.conf
   
@@ -26,12 +36,13 @@ openvpn_push_routes:
 
 #openvpn_push_settings:
 #  - "dhcp-option DNS 10.66.0.4"
-  
+
 openvpn_tls_server: True
 openvpn_dh: /etc/openvpn/dh2048.pem
 openvpn_tls_auth: '/etc/openvpn/ta.key 0'
 openvpn_install_alternative_ca: False
 openvpn_alternative_ca_name: ca.pem
+openvpn_ca_dir: False
 openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
 openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
 openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
@@ -39,9 +50,6 @@ openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
 openvpn_compression_enabled: False
 openvpn_keepalive: '10 120'
 
-openvpn_cert_auth_enabled: True
-openvpn_username_pam_auth: False
-
 openvpn_max_clients: 50
 openvpn_run_unprivileged: True
 openvpn_unprivileged_user: nobody
@@ -50,3 +58,33 @@ openvpn_letsencrypt_managed: True
 
 openvpn_verbosity_log: 3
 openvpn_mute_after: 20
+
+# LDAP conf
+openvpn_ldap_uri: 'ldap:'
+openvpn_ldap_host: ldap.example.org
+openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
+openvpn_ldap_nonanon_bind: False
+openvpn_ldap_binddn: uid=admin
+openvpn_ldap_bindpwd: test
+openvpn_ldap_ca: '{{ openvpn_ca }}'
+openvpn_ldap_use_ca_dir: False
+openvpn_ldap_ca_dir: /etc/ssl/certs
+openvpn_ldap_starttls: False
+openvpn_ldap_tls_auth: False
+openvpn_ldap_tls_cert: '{{ openvpn_cert }}'
+openvpn_ldap_tls_key: '{{ openvpn_key }}'
+openvpn_ldap_tls_ciphersuite: 'ALL:!ADH:@STRENGTH'
+# LDAP auth
+openvpn_ldap_base_dn: 'ou=People,dc=example,dc=org'
+openvpn_ldap_user_search: '(&(uid=%u))'
+openvpn_ldap_require_group: False
+# See https://github.com/threerings/openvpn-auth-ldap/issues/7
+openvpn_ldap_without_posix_groups: True  
+openvpn_ldap_group_base: 'ou=Groups,dc=example,dc=org'
+openvpn_ldap_group_filter: '(|(cn=developers)(cn=artists))'
+openvpn_ldap_group_member_attr: uniqueMember
+
+# Perl LDAP conf
+openvpn_ldap_perl_auth_ssl: True
+openvpn_ldap_perl_auth_sslport: 636
+openvpn_ldap_perl_auth_group: vpn_ldap_posix_group

openvpn/tasks/openvpn.yml

@@ -1,79 +1,113 @@
 ---
-- name: Install the OpenVPN main packages
-  apt: pkg={{ item }} state={{ openvpn_pkg_state }} update_cache=yes
-  with_items: '{{ openvpn_pkgs }}'
-  tags: openvpn
+- block: 
+    - name: Install the OpenVPN main packages
+      apt: pkg={{ item }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
+      with_items: '{{ openvpn_pkgs }}'
 
-- name: Install the OpenVPN radius auth plugin package
-  apt: pkg={{ item }} state={{ openvpn_pkg_state }}
-  with_items: '{{ openvpn_radius_pkg }}'
-  when: openvpn_radius_auth
-  tags: openvpn
+    - name: Create the auth, ipp and status subdirs
+      file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770
+      with_items:
+        - ipp
+        - status
+        - auth
 
-- name: Install the OpenVPN ldap auth plugin package
-  apt: pkg={{ item }} state={{ openvpn_pkg_state }}
-  with_items: '{{ openvpn_ldap_pkg }}'
-  when: openvpn_ldap_auth
-  tags: openvpn
-
-- name: Install the OpenVPN PAM auth plugin
-  shell: cp /usr/lib/openvpn/openvpn-plugin-auth-pam.so {{ openvpn_conf_dir }}/openvpn-plugin-auth-pam.so
-  args:
-    creates: '{{ openvpn_conf_dir }}/openvpn-plugin-auth-pam.so'
-  when: openvpn_username_pam_auth
-  tags: openvpn
-
-- name: Remove the OpenVPN PSM auth plugin
-  file: dest={{ openvpn_conf_dir }}/openvpn-plugin-auth-pam.so state=absent
-  when: not openvpn_username_pam_auth
-  tags: openvpn
-
-- name: Create the ipp and status subdirs
-  file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory
-  with_items:
-    - ipp
-    - status
-  tags: openvpn
-
-- name: Install the main OpenVPN configuration file
-  template: src=openvpn.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group=root mode=0444
-  notify: Reload OpenVPN
-  tags: openvpn
-
-- name: Create the dh file
-  shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
-  args:
-    creates: '{{ openvpn_conf_dir }}/dh2048.pem'
-  tags: openvpn
-  
-- name: Create the ta key
-  shell: cd {{ openvpn_conf_dir }} ; openvpn --genkey --secret ta.key ; chmod 400 {{ openvpn_conf_dir }}/ta.key
-  args:
-    creates: '{{ openvpn_conf_dir }}/ta.key'
-  tags: openvpn
-
-- name: Ensure that the OpenVPN service is enabled and running
-  service: name=openvpn state=started enabled=yes
   when: openvpn_enabled
   tags: openvpn
 
-- name: Ensure that the OpenVPN service is stopped and disabled
-  service: name=openvpn state=stopped enabled=no
-  when: not openvpn_enabled
+- block: 
+    - name: Install the OpenVPN radius auth plugin package
+      apt: pkg={{ item }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
+      with_items: '{{ openvpn_radius_pkg }}'
+
+  when: openvpn_radius_auth
+  tags: [ 'openvpn', 'openvpn_radius' ]
+
+
+- block:
+    - name: apt key for the internal ppa repository. Needed by the openvpn ldap auth with posix groups
+      apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
+      when:
+        - openvpn_ldap_auth
+        - not openvpn_ldap_without_posix_groups
+  
+    - name: Setup the internal apt repository
+      apt_repository: repo='deb http://ppa.research-infrastructures.eu/system trusty main'
+      when:
+        - openvpn_ldap_auth
+        - not openvpn_ldap_without_posix_groups
+
+    - name: Install the OpenVPN ldap auth plugin package
+      apt: pkg={{ item }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
+      with_items: '{{ openvpn_ldap_pkg }}'
+
+    - name: Install the LDAP auth configuration file
+      template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440
+      notify: Reload OpenVPN
+
+    - name: Remove the LDAP auth configuration file if LDAP is not used
+      file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent
+      notify: Reload OpenVPN
+      when: not openvpn_ldap_auth
+
+
+  when: openvpn_ldap_auth
+  tags: [ 'openvpn', 'openvpn_ldap' ]
+
+
+- block:
+    - name: Install the perl libraries needed by the LDAP client authentication script
+      apt: pkg={{ item }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
+      with_items: '{{ openvpn_perl_pkg }}'
+
+    - name: Install the perl LDAP auth script
+      template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550
+
+  when: openvpn_ldap_perl_auth
+  tags: [ 'openvpn', 'openvpn_ldap' ]
+
+
+- block:
+    - name: Install the main OpenVPN configuration file
+      template: src=openvpn.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
+      notify: Reload OpenVPN
+
+    - name: Create the dh file
+      shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
+      args:
+        creates: '{{ openvpn_conf_dir }}/dh2048.pem'
+  
+    - name: Create the ta key
+      shell: cd {{ openvpn_conf_dir }} ; openvpn --genkey --secret ta.key ; chmod 400 {{ openvpn_conf_dir }}/ta.key
+      args:
+        creates: '{{ openvpn_conf_dir }}/ta.key'
+
+  tags: [ 'openvpn', 'openvpn_conf' ]
+
+
+- block:
+    - name: Enable kernel forwarding
+      sysctl: name={{ item }} value=1 reload=yes state=present
+      with_items:
+        - net.ipv4.ip_forward
+        # - net.ipv6.conf.all.forwarding
+      when:
+        - openvpn_enable_system_forward
+        - openvpn_enabled
+
+    - name: Disable kernel forwarding
+      sysctl: name={{ item }} value=0 reload=yes state=present
+      with_items:
+        - net.ipv4.ip_forward
+        # - net.ipv6.conf.all.forwarding
+      when: not openvpn_enable_system_forward
+
+    - name: Ensure that the OpenVPN service is enabled and running
+      service: name=openvpn state=started enabled=yes
+      when: openvpn_enabled
+
+    - name: Ensure that the OpenVPN service is stopped and disabled
+      service: name=openvpn state=stopped enabled=no
+      when: not openvpn_enabled
+
   tags: openvpn
 
-- name: Enable kernel forwarding
-  sysctl: name={{ item }} value=1 reload=yes state=present
-  with_items:
-    - net.ipv4.ip_forward
-#    - net.ipv6.conf.all.forwarding
-  when: openvpn_enable_system_forward
-  tags: openvpn
-
-- name: Disable kernel forwarding
-  sysctl: name={{ item }} value=0 reload=yes state=present
-  with_items:
-    - net.ipv4.ip_forward
-#    - net.ipv6.conf.all.forwarding
-  when: not openvpn_enable_system_forward
-  tags: openvpn

openvpn/templates/auth-ldap.conf.j2

@@ -0,0 +1,67 @@
+<LDAP>
+        # LDAP server URL
+        URL                     {{ openvpn_ldap_url }}
+
+{% if openvpn_ldap_nonanon_bind %}
+        # Bind DN (If your LDAP server doesn't support anonymous binds)
+        BindDN                  {{ openvpn_ldap_binddn }}
+        # Bind Password
+        Password                {{ openvpn_ldap_bindpwd }}
+{% endif %}
+
+        # Network timeout (in seconds)
+        Timeout         15
+
+{% if openvpn_ldap_starttls %}
+        # Enable Start TLS
+        TLSEnable      yes
+{% endif %}
+
+        # Follow LDAP Referrals (anonymously)
+        FollowReferrals yes
+
+        # TLS CA Certificate File
+        TLSCACertFile           {{ openvpn_ldap_ca }}
+
+{% if openvpn_ldap_use_ca_dir %}
+        # TLS CA Certificate Directory
+        # TLSCACertDir  {{ openvpn_ldap_ca_dir }}
+{% endif %}
+
+{% if openvpn_ldap_tls_auth %}
+        # Client Certificate and key
+        # If TLS client authentication is required
+        TLSCertFile     {{ openvpn_ldap_tls_cert }}
+        TLSKeyFile      {{ openvpn_ldap_tls_key }}
+{% endif %}
+
+        # Cipher Suite
+        # The defaults are usually fine here
+        TLSCipherSuite   {{ openvpn_ldap_tls_ciphersuite }}
+</LDAP>
+
+<Authorization>
+        # Base DN
+        BaseDN          "{{ openvpn_ldap_base_dn }}"
+
+        # User Search Filter
+        # SearchFilter  "(&(uid=%u)(accountStatus=active))"
+        SearchFilter    "{{ openvpn_ldap_user_search }}"
+
+        # Require Group Membership
+        RequireGroup    {{ openvpn_ldap_require_group }}
+
+{% if openvpn_ldap_require_group %}
+        # Add non-group members to a PF table (disabled)
+        #PFTable        ips_vpn_users
+
+        <Group>
+               BaseDN          "{{ openvpn_ldap_group_base }}"
+               SearchFilter    "{{ openvpn_ldap_group_filter }}"
+               RFC2307bis      {{ openvpn_ldap_without_posix_groups }}
+               MemberAttribute {{ openvpn_ldap_group_member_attr }}
+               # Add group members to a PF table (disabled)
+        #       #PFTable        ips_vpn_eng
+        </Group>
+{% endif %}
+</Authorization>

openvpn/templates/auth-ldap.pl.j2

@@ -0,0 +1,42 @@
+#!/usr/bin/perl -w
+
+{% if openvpn_ldap_perl_auth_ssl %}
+use Net::LDAPS;
+{% else %}
+use Net::LDAP;
+{% endif %}
+use strict;
+
+my $ldap;
+my $result;
+
+my $opt_uri = "{{ openvpn_ldap_host }}";
+my $opt_user = $ENV{'username'};
+my $opt_passwd = $ENV{'password'};
+my $opt_group = "cn={{ openvpn_ldap_perl_auth_group }},{{ openvpn_ldap_group_base }}";
+my $opt_binddn = "uid=".$opt_user.",{{ openvpn_ldap_base_dn }}";
+
+{% if openvpn_ldap_perl_auth_ssl %}
+$ldap = Net::LDAPS->new($opt_uri, version => 3,
+                        port => '{{ openvpn_ldap_perl_auth_sslport }}',
+                        verify => 'require',
+                        {% if openvpn_ca_dir %}
+                        capath => '{{ openvpn_ldap_ca }}'
+                        {% else %}
+                        cafile => '{{ openvpn_ldap_ca }}'
+                        {% endif %}
+    ) or die("LDAPS connect to $opt_uri failed!");
+{% else %}
+$ldap = Net::LDAP->new($opt_uri) or die("LDAP connect to $opt_uri failed!");
+{% endif %}
+
+{% if openvpn_ldap_nonanon_bind %}
+$result = $ldap->bind('{{ openvpn_ldap_binddn }}', password => '{{ openvpn_ldap_bindpwd }}');
+{% else %}
+$result = $ldap->bind($opt_binddn, password => $opt_passwd);
+{% endif %}
+$result->code and die($result->error);
+$result = $ldap->search(base=>$opt_group, filter => "(&({{ openvpn_ldap_group_member_attr }}=$opt_user))");
+$result->code();
+if ($result->count == 1) { exit 0; }
+unless($result->count){ exit 1; }

openvpn/templates/openvpn.conf.j2

@@ -44,7 +44,16 @@ client-cert-not-required
 {% if openvpn_username_pam_auth %}
 username-as-common-name
 # PAM login
-plugin /etc/openvpn/openvpn-plugin-auth-pam.so login
+plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
+{% endif %}
+
+{% if openvpn_ldap_auth %}
+plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
+{% endif %}
+
+{% if openvpn_ldap_perl_auth %}
+auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
+script-security 3 execve
 {% endif %}
 
 max-clients {{ openvpn_max_clients }}

ubuntu-deb-general/tasks/packages.yml

@@ -53,6 +53,12 @@
   ignore_errors: True
   tags: packages
 
+- name: setup system apt repository for specific distributions
+  apt_repository: repo='deb http://ppa.research-infrastructures.eu/system {{ ansible_distribution_release }} main' update_cache=yes
+  when: is_trusty
+  ignore_errors: True
+  tags: packages
+
 - name: install common packages
   apt: pkg={{ item }} state={{ pkg_state }}
   with_items: '{{ common_packages }}'