IPFire Router für Skolelinux??? OpenVPN mit LDAÜ
Hallo Liste,
ich bastel grad an einem IPFire Router für unsere Schule und bin bisher erfolgreich. Gewünscht wurde von den Lehrern eine Einwahlmöglichkeit und somit entschied ich mich für ipfire mit OpenVPN, da OpenVPN ein recht einfaches GUI für Windows hat und über den Linux Networkmanager genutzt werden kann.
Das hat nach kurzen hin und her gut geklappt. Man installiert den ipfire nach Anleitung aus dem ipfire Wiki und aktiviert ebenfalls aus diesem Wiki nach Anleitung das OpenVPN.
Dann fügt man nur noch die Option "keepalive 10 120" in die /var/ipfire/ovpn/server.conf und gut ist.
Nun will mein Chef eine Authentifizierung am LDAP (leider derzeit noch Arktur) haben. Am liebsten wäre mir deswegen die Möglichkeit das ganze über openvpn-auth-ldap wie unter http://code.google.com/p/openvpn-auth-ldap/ beschrieben, aber da steig ich leider nicht durch, wie ich das für ipfire bauen müsste. Deswegen entschied ich mich für die Möglichkeit 2 laut http://openvpn.net/index.php/open-source/documentation/howto.html#auth per Skript. Wichtig für die Einwahl per OpenVPN scheint nur der Rückgabewert exit 0 oder exit 1 zu sein. Das habe ich auch getestet und kann das bestätigen (hab nen Skript gebastel, was nur die Zeile mit exit 0; ausführt bzw. exit 1; soweit kann ich mich noch an perl erinnern).
Dazu fügt man in die /var/ipfire/ovpn/server.conf die option "auth-user-pass-verify /var/ipfire/ovpn/auth-ldap.pl via-file" ein. OK, soweit so gut. Jetzt hab ich ne VPN Verbindung mit Abfrage nach Username und Passwort am Client (achso, der braucht in seiner Konfig, die ipfire selbst sehr bequem baut noch die Zeile "auth-user-pass" dann gehts auch beim Client) aufgebaut und müsste nur noch dem Skript beibringen am LDAP zu fragen.
Kann mir dabei jemand helfen? Evtl. das ganze so zu bauen, dass ich später nen Cipux und Debian-Edu nutzen kann?
IPFire scheint mit der Option OpenVPN ein sehr interessanter Router für die Schulen zu sein.
Danke schonmal.
Liebe Grüße, Gerhard Prade
_____________________________________________
PS: Nochmal alles was ich dazu gefunden habe:
http://openvpn.net/index.php/open-source/documentation/howto.html#auth
Using alternative authentication methods
OpenVPN 2.0 includes a feature that allows the OpenVPN server to securely obtain a username and password from a connecting client, and to use that information as a basis for authenticating the client.
To use this authentication method, first add the auth-user-pass directive to the client configuration. It will direct the OpenVPN client to query the user for a username/password, passing it on to the server over the secure TLS channel.
Next, configure the server to use an authentication plugin, which may be a script, shared object, or DLL. The OpenVPN server will call the plugin every time a VPN client tries to connect, passing it the username/password entered on the client. The authentication plugin can control whether or not the OpenVPN server allows the client to connect by returning a failure (1) or success (0) value.
Using Script Plugins
Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. For example:
auth-user-pass-verify auth-pam.pl via-file
will use the auth-pam.pl perl script to authenticate the username/password of connecting clients. See the description of auth-user-pass-verify in the manual page for more information.
The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password, RADIUS, or LDAP authentication. auth-pam.pl is primarily intended for demonstration purposes. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below.
Using Shared Object or DLL Plugins
Shared object or DLL plugins are usually compiled C modules which are loaded by the OpenVPN server at run time. For example if you are using an RPM-based OpenVPN package on Linux, the openvpn-auth-pam plugin should be already built. To use it, add this to the server-side config file:
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
This will tell the OpenVPN server to validate the username/password entered by clients using the login PAM module.
For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam.pl script:
* The shared object openvpn-auth-pam plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user nobody, group nobody, and chroot, and will still be able to authenticate against the root-readable-only shadow password file.
* OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine.
* C-compiled plugin modules generally run faster than scripts.
If you would like more information on developing your own plugins for use with OpenVPN, see the README files in the plugin subdirectory of the OpenVPN source distribution.
To build the openvpn-auth-pam plugin on Linux, cd to the plugin/auth-pam directory in the OpenVPN source distribution and run make.
_____________________________________________
http://code.google.com/p/openvpn-auth-ldap/
Description
The OpenVPN Auth-LDAP Plugin implements username/password authentication via LDAP for OpenVPN 2.x.
Features
* User authentication against LDAP.
* Simple Apache-style configuration file.
* LDAP group-based access restrictions.
* Integration with the OpenBSD packet filter, supporting adding and removing VPN clients from PF tables based on group membership.
* Tested against OpenLDAP, the plugin will authenticate against any LDAP server that supports LDAP simple binds -- including Active Directory.
Building
Requirements
* OpenLDAP Headers and Library
* GNU Objective-C Compiler
* OpenVPN Plugin Header (included with the OpenVPN sources)
* re2c (used for the configuration file lexer)
To build, you will need to configure the sources appropriately. Example:
./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2
The module will be build in src/openvpn-auth-ldap.so and installed as ${prefix}/lib/openvpn-auth-ldap.so.
Usage
Add the following to your OpenVPN configuration file (adjusting the plugin path as required):
plugin /usr/local/lib/openvpn-auth-ldap.so "<config>"
The config directive must point to an auth-ldap configuration file. An example configuration file is provided with the distribution, or see the Configuration page.
Security
Please report all security issues directly to landonf+security (at) bikemonkey (dot) org.
Through the use of extensive unit testing, valgrind, and regression testing, we are very confident in the overall code quality of the plugin. There has been one security vulnerability to date, due to misinterpretation of LDAP RFCs.
* 2006-12-02: OpenVPN Auth-LDAP would accept empty passwords when validating against Novell Directory Server. This is known to not affect default installs of OpenLDAP (our test platform). Strict implementation of the LDAP RFCs requires that a directory server treat a bind with a valid DN and an empty password as an "anonymous" bind. If anonymous binds are enabled, this could lead to password bypass.
_____________________________________________
http://code.google.com/p/openvpn-auth-ldap/wiki/Configuration
Configuration
Configuring the OpenVPN Auth-LDAP Plugin
Example Configuration
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
_____________________________________________
http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/openvpn/sample-scripts/auth-pam.pl
#!/usr/bin/perl -t
# OpenVPN PAM AUTHENTICATON
# This script can be used to add PAM-based authentication
# to OpenVPN 2.0. The OpenVPN client must provide
# a username/password, using the --auth-user-pass directive.
# The OpenVPN server should specify --auth-user-pass-verify
# with this script as the argument and the 'via-file' method
# specified. The server can also optionally specify
# --client-cert-not-required and/or --username-as-common-name.
# SCRIPT OPERATION
# Return success or failure status based on whether or not a
# given username/password authenticates using PAM.
# Caller should write username/password as two lines in a file
# which is passed to this script as a command line argument.
# CAVEATS
# * Requires Authen::PAM module, which may also
# require the pam-devel package.
# * May need to be run as root in order to
# access username/password file.
# NOTES
# * This script is provided mostly as a demonstration of the
# --auth-user-pass-verify script capability in OpenVPN.
# For real world usage, see the auth-pam module in the plugin
# folder.
use Authen::PAM;
use POSIX;
# This "conversation function" will pass
# $password to PAM when it asks for it.
sub my_conv_func {
my @res;
while ( @_ ) {
my $code = shift;
my $msg = shift;
my $ans = "";
$ans = $password if $msg =~ /[Pp]assword/;
push @res, (PAM_SUCCESS(),$ans);
}
push @res, PAM_SUCCESS();
return @res;
}
# Identify service type to PAM
$service = "login";
# Get username/password from file
if ($ARG = shift @ARGV) {
if (!open (UPFILE, "<$ARG")) {
print "Could not open username/password file: $ARG\n";
exit 1;
}
} else {
print "No username/password file specified on command line\n";
exit 1;
}
$username = <UPFILE>;
$password = <UPFILE>;
if (!$username || !$password) {
print "Username/password not found in file: $ARG\n";
exit 1;
}
chomp $username;
chomp $password;
close (UPFILE);
# Initialize PAM object
if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
print "Authen::PAM init failed\n";
exit 1;
}
# Authenticate with PAM
$res = $pamh->pam_authenticate;
# Return success or failure
if ($res == PAM_SUCCESS()) {
exit 0;
} else {
print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";
exit 1;
}
_______________________________________-
http://www.indato.ch/openvpn/openvpn.html
#!/bin/sh
#
# a simple ldap auth script for openvpn
#
LDAP_HOST=10.10.10.3
#
# check nach leeren username/password oder [Aa]nonymous
#
if [ "$username" = "anonymous" || "$username" = "Anonymous" || -z "$username" || -z "$password" ] ; then
exit 1;
fi
#
# testen, ob bind mit credentials funktioniert - ungueltige Zeichen werden zu _
#
ldapwhoami -x -h $LDAP_HOST -D uid=$username,ou=users,dc=example,dc=com \
-w $password
#
if [ "$?" = "0" ]; then
exit 0;
else
exit 1;
fi
exit 1;
Reply to: