大佬教程收集整理的这篇文章主要介绍了Centos7+Openvpn使用Windows AD验证登陆,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
[root@openvpnopenvpn]#cat/etc//
[epel] name=aliyunepel baseurl= /epel/7Server/x86_64/ gpgcheck=0@H_696_14@[root@openvpn openvpn]#
yuminstallopenvpn-auth-ldap-y@H_696_14@安装完成 @H_696_14@然后我们进入ldpa的配置目录
cd/etc/openvpn/auth/
vim@H_696_14@查看默认的配置文件内容
<LDAP> #LDAPserverURL URLldap:// #BindDN(IfyourLDAPserverdoesn'tsupportanonymousbinds) #BindDNuid=Manager,ou=People,dc=example,dc=com #Bindpassword #passwordSecretpassword #Networktimeout(inseconds) Timeout15 #EnableStartTLS TLSEnableyes #FollowLDAPReferrals(anonymously) FollowReferralsyes #TLSCACertificateFile TLSCACertFile/usr/local/etc/ssl/ #TLSCACertificateDirectory TLSCACertDir/etc/ssl/certs #ClientCertificateandkey #IfTLSclientauthenticationisrequired TLSCertFile/usr/local/etc/ssl/client- TLSKeyFile/usr/local/etc/ssl/client- #CipherSuite #Thedefaultsareusuallyfinehere #TLSCipherSuiteALL:!ADH:@STRENGTH </LDAP> <Authorization> #BaseDN BaseDN"ou=People,dc=com" #UserSearchFilter SearchFilter"(&(uid=%u)(accountStatus=activE))" #requireGroupMembership requireGroupfalse #Addnon-groupmemberstoaPFtable(disabled) #PFTableips_vpn_users <Group> BaseDN"ou=Groups,dc=com" SearchFilter"(|(cn=developers)(cn=artists))" MemberAttributeuniqueMember #AddgroupmemberstoaPFtable(disabled) #PFTableips_vpn_eng </Group> </Authorization>@H_696_14@我们同样备份一份,为了安全考虑,建议搭建都备份一下
cp@H_696_14@开始修改配置,清空内容进行编辑
echo>@H_696_14@然后粘贴以下内容
<LDAP> #LDAPserverURL #更改为AD服务器的ip URLldap:// #BindDN(IfyourLDAPserverdoesn'tsupportanonymousbinds) #BindDNuid=Manager,dc=com #更改为域管理的dn,可以通过ldapsearch进行查询,-h的ip替换为服务器ip,-d换为管理员的dn,-b为基础的查询dn,*为所有 #ldapsearch-LLL-x-h-D"administrator@"-W-b"dc=xx,dc=com""*" BindDN"CN=Administrator,CN=Users,DC=ixmsoft,DC=com" #Bindpassword #passwordSecretpassword #域管理员的密码 password123 #Networktimeout(inseconds) Timeout15 #EnableStartTLS TLSEnableno #FollowLDAPReferrals(anonymously) #FollowReferralsyes #TLSCACertificateFile #TLSCACertFile #TLSCACertificateDirectory #TLSCACertDir/etc/ssl/certs #ClientCertificateandkey #IfTLSclientauthenticationisrequired #TLSCertFile/usr/local/etc/ssl/client- #TLSKeyFile/usr/local/etc/ssl/client- #CipherSuite #Thedefaultsareusuallyfinehere #TLSCipherSuiteALL:!ADH:@STRENGTH </LDAP> <Authorization> #BaseDN #查询认证的基础dn BaseDN"OU=IXMSOFTLDAP,DC=com" #UserSearchFilter #SearchFilter"(&(uid=%u)(accountStatus=activE))" #其中sAMAccountName=%u的意思是把sAMAccountName的字段取值为用户名,后面“memberof=CN=myvpn,DC=xx,DC=com”指向要认证的vpn用户组,这样任何用户使用vpn,只要加入这个组就好了 #SearchFilter"(&(sAMAccountName=%u)(memberof=CN=myvpn,OU=IXMSOFTLDAP,DC=com)" SearchFilter"(&(sAMAccountName=%u))" #requireGroupMembership requireGroupfalse #Addnon-groupmemberstoaPFtable(disabled) #PFTableips_vpn_users <Group> #BaseDN"ou=Groups,dc=com" #SearchFilter"(|(cn=developers)(cn=artists))" #MemberAttributeuniqueMember #AddgroupmemberstoaPFtable(disabled) #PFTableips_vpn_eng BaseDN"OU=IXMSOFTLDAP,DC=com" SearchFilter"(|(cn=myvpn))" MemberAttribute"member" </Group> </Authorization>@H_696_14@保存退出后,我们还需要修改openvpn的配置文件, @H_696_14@默认的配置文件
cat/etc/openvpn/ port1194#监听端口 prototcp#监听协议 devtun#采用隧道 ca#ca证书路劲 cert#服务器证书路劲 key#服务器秘钥 dh#秘钥交换协议文件 server#给客户端分配的地址,注意:不能和vpn服务器的内部地址相同 ifconfig-pool-persist#访问记录 push"route"#允许客户端访问的地址网段 #push"redirect-gatewaydef1bypass-dhcp" push"dhcp-optionDNS"#DHCP分配的DNS push"dhcp-optionDNS" keepalive10120#活动时间,10秒ping一次,120秒如果未收到响应视为断线 #cipherAES-256-CBC max-clients100#允许最大连接数 #usernobody#用户 #groupnobody#用户组 persist-key persist-tun statusopenvpn- log verb5@H_696_14@我们需要在原有的默认配置文件上添加以下三个参数:
plugin/usr/lib64/openvpn/plugin/lib/openvpn-auth-"/etc/openvpn/auth/cn=%u" client-cert-not-required username-as-common-name@H_696_14@添加后的结果为:
port1194#监听端口 prototcp#监听协议 devtun#采用隧道 ca#ca证书路劲 cert#服务器证书路劲 key#服务器秘钥 dh#秘钥交换协议文件 server#给客户端分配的地址,注意:不能和vpn服务器的内部地址相同 ifconfig-pool-persist#访问记录 push"route"#允许客户端访问的地址网段 #push"redirect-gatewaydef1bypass-dhcp" push"dhcp-optionDNS"#DHCP分配的DNS push"dhcp-optionDNS" keepalive10120#活动时间,10秒ping一次,120秒如果未收到响应视为断线 #cipherAES-256-CBC max-clients100#允许最大连接数 #usernobody#用户 #groupnobody#用户组 persist-key persist-tun statusopenvpn- log verb5 plugin/usr/lib64/openvpn/plugin/lib/openvpn-auth-"/etc/openvpn/auth/cn=%u" client-cert-not-required username-as-common-name@H_696_14@修改后,我们需要重启openvpn服务
systemctlrestart openvpn@server@H_696_14@重启服务后,我们就可以测试了,客户端的配置我们不用修改,因为上一节文章中我们已经添加了一个默认的参数,然后使用的是本地账户登陆验证
auth-user-pass@H_696_14@以下为client端的默认配置 @H_696_14@此时我们需要的是ca证书,其他证书都不需要了; @H_696_14@我们可以将ca的证书内容粘贴到ca配置选项中,如果用户多的话,只需要将这个配置文件替换即可。
client devtun prototcp reomote1194 resolv-retryinfinite nobind persist-key persist-tun ca #cert #key verb5 auth-user-pass@H_696_14@接下来我们就可以尝试使用AD用户进行登录了 @H_696_14@因为我们的配置是从OU=IXMSOFTLDAP下的myvpn用户组中获取用户,所以只要是myvpn组内的用户都是可以登陆的, @H_696_14@所以我们使用zs用户验证登陆 @H_696_14@登陆成功 @H_696_14@查看IP地址状态及openvpn连接状态 @H_696_14@然后我们查看openvpn的log,我们通过log查看也是登陆完成的。
tail–f/etc/opevpn/@H_696_14@如果使用一个不再myvpn组内的用户--ls验证登陆会怎么样呢 @H_696_14@
yuminstall-yopenldap-clients@H_696_14@安装完成后,我们可以使用
ldapsearch参数进行测试 -b指定搜索范围 -D验证用户 ldapsearch-x-W-D"cn=administrator,cn=users,dc=ixmsoft,dc=com"-b"dc=ixmsoft,dc=com"-h-sonedn-LLL ldapsearch-x-W-D"cn=administrator,dc=com"-h ldapsearch-x-W-D"cn=administrator,dc=com"-b"ou=ixmsoftldap,dc=com"-h@H_696_14@执行后会提示输入域administrator的账户进行连接验证 @H_696_14@输入密码后,会查询结果
ldapsearch-x-W-D"cn=administrator,dc=com"-h [root@openvpn~]#ldapsearch-x-W-D"cn=administrator,dc=com"-h EnterLDAPpassword: #extendedLDIF # #LDAPv3 #base<ou=ixmsoftldap,dc=com>withscopesubtree #filter:(objectclass=*) #requesTing:ALL # #IXMSOFTLDAP,dn:OU=IXMSOFTLDAP,DC=com objectClass:top objectClass:organizationalUnit ou:IXMSOFTLDAP disTinguishedName:OU=IXMSOFTLDAP,DC=com instanCEType:4 whenCreated: whenChanged: uSNCreated:12814 uSNChanged:84683 name:IXMSOFTLDAP objectGUID::cMItf70U20qyaLdCfU+LoA== objectCategory:CN=Organizational-Unit,CN=scheR_90_11845@a,CN=Configuration,D C=com dscorePropagationData: dscorePropagationData: dscorePropagationData: dscorePropagationData: dscorePropagationData: #gavin,IXMSOFTLDAP,dn:CN=gavin,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:gavin disTinguishedName:CN=gavin,DC=com instanCEType:4 whenCreated: whenChanged: displayName:gavin uSNCreated:12834 memberOf:CN=DomainAdmins,DC=com memberOf:CN=EnterpriseAdmins,DC=com memberOf:CN=scheR_90_11845@aAdmins,DC=com uSNChanged:83107 name:gavin objectGUID::EoJ2j0/CEEahljdqlm3M8Q== userAccountControl:512 badPwdCount:0 codePage:0 countryCode:0 badpasswordTime:0 lastlogoff:0 lastlogon:0 pwdLastSet:131223940286681367 priMaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOCMw/wTwQAAA== adminCount:1 accountexpires:9223372036854775807 logonCount:0 sAMAccountName:gavin sAMAccountType:805306368 userPrincipalName:gavin@ objectCategory:CN=Person,DC=com dscorePropagationData: dscorePropagationData: dscorePropagationData: dscorePropagationData: #a,dn:CN=a,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:a disTinguishedName:CN=a,DC=com instanCEType:4 whenCreated: whenChanged: displayName:a uSNCreated:76250 memberOf:CN=openvpnuser,DC=com memberOf:CN=openvpn,OU=vpn,DC=com memberOf:CN=myvpn,DC=com uSNChanged:84656 proxyAddresses:SMTP:a@ name:a objectGUID::UG7KmwzOpE+eCEQCIXYirg== userAccountControl:66048 badPwdCount:0 codePage:0 countryCode:0 badpasswordTime:0 lastlogoff:0 lastlogon:131259971048958897 pwdLastSet:131273684370053522 priMaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOCMw/weQQAAA== accountexpires:9223372036854775807 logonCount:125 sAMAccountName:a sAMAccountType:805306368 showInAddressBook:CN=MailBoxes(VLV),CN=AllSystemAddressLists,CN=AddressLi stsContainer,CN=ixmsoft,CN=MicrosoftExchange,CN=services,D C=ixmsoft,DC=com showInAddressBook:CN=AllMailBoxes(VLV),CN=Addres sListsContainer,CN=Configurati on,DC=com showInAddressBook:CN=AllRecipients(VLV),CN=Addre ssListsContainer,CN=Configurat ion,DC=com showInAddressBook:CN=DefaultGlobalAddressList,CN=AllGlobalAddressLists,CN=AddressListsContainer,CN=Co nfiguration,DC=com showInAddressBook:CN=AllUsers,CN=AllAddressLists,CN=AddressListsContaine r,DC =com legacyExchangeDN:/o=ixmsoft/ou=ExchangeAdministrativeGroup(FYDIBOHF23SPDLT )/cn=Recipients/cn=f7a926c52baa45ac83d487105a17abb5-a userPrincipalName:a@ objectCategory:CN=Person,DC=com dscorePropagationData: lastlogontimestamp:131259433371916627 uid:a mail:a@ mailNickname:a msExchPoliciesIncluded:cfdf87af-dd7f-4a7b-85e4-e0ba077efe78 msExchPoliciesIncluded:{26491cfc-9e50-4857-861b-0cb8df22b5d7} msExchCalendarLoggingQuota:6291456 msExchRecipientDisplayType:1073741824 mDBUseDefaults:TRUE msExchTextmessagingState:302120705 msExchTextmessagingState:16842751 msExchArchiveQuota:104857600 msExchMailBoxGuid::ii4VjsET5kqpVJcdHpSOhg== homeMDB:CN=MailBoxDatabase1277431463,CN=Databases,CN=ExchangeAdministrativ eGroup(FYDIBOHF23SPDLT),CN=AdministrativeGroups,CN=MicrosoftEx change,DC=com msExchUserCulture:zh-CN msExchRecipientTypeDetails:1 msExchMailBoxSecurityDescriptor::AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABQoAAAAB AQAAAAAABQoAAAAEABwAAQAAAAACFAABAAIAAQEAAAAAAAUKAAAA msExchUserAccountControl:0 msExchUMDtmfMap:emailAddress:2 msExchUMDtmfMap:lastNameFirstName:2 msExchUMDtmfMap:firstNameLastName:2 msExchWhenMailBoxCreated: msExchHomeServerName:/o=ixmsoft/ou=ExchangeAdministrativeGroup(FYDIBOHF23S PDLT)/cn=Configuration/cn=Servers/cn=EX01 msExchDumpsterQuota:31457280 msExchDumpsterWarningQuota:20971520 msExchVersion:88218628259840 msExchRBACPolicyLink:CN=DefaultRoleAssignmentPolicy,CN=Policies,CN=RBAC,CN =ixmsoft,DC=com msExchArchiveWarnQuota:94371840 #myvpn,dn:CN=myvpn,DC=com objectClass:top objectClass:group cn:myvpn description:opvpn_group member:CN=zs,DC=com member:CN=a,DC=com disTinguishedName:CN=myvpn,DC=com instanCEType:4 whenCreated: whenChanged: uSNCreated:84617 uSNChanged:84692 name:myvpn objectGUID::iCieup3yF0CcvkrZ5K4owQ== objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOCMw/wewQAAA== sAMAccountName:myvpn sAMAccountType:268435456 groupType:-2147483646 objectCategory:CN=Group,DC=com dscorePropagationData: dscorePropagationData: #zs,dn:CN=zs,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:zs disTinguishedName:CN=zs,DC=com instanCEType:4 whenCreated: whenChanged: displayName:zs uSNCreated:84685 memberOf:CN=myvpn,DC=com uSNChanged:84707 name:zs objectGUID::aGJRtfM4BkqcoXKrRtKeFQ== userAccountControl:512 badPwdCount:0 codePage:0 countryCode:0 badpasswordTime:0 lastlogoff:0 lastlogon:0 pwdLastSet:131273840680565017 priMaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOCMw/wfwQAAA== accountexpires:9223372036854775807 logonCount:0 sAMAccountName:zs sAMAccountType:805306368 userPrincipalName:zs@ objectCategory:CN=Person,DC=com dscorePropagationData: dscorePropagationData: #sqladmin,dn:CN=sqladmin,DC=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:user cn:sqladmin disTinguishedName:CN=sqladmin,DC=com instanCEType:4 whenCreated: whenChanged: displayName:sqladmin uSNCreated:14261 uSNChanged:83109 name:sqladmin objectGUID::/orLK52ZskWhDhcGqz1k5A== userAccountControl:512 badPwdCount:0 codePage:0 countryCode:0 badpasswordTime:131224606337808745 lastlogoff:0 lastlogon:131225414441612134 pwdLastSet:131224588326777247 priMaryGroupID:513 objectSid::AQUAAAAAAAUVAAAAF+vK5x9VEfOCMw/wVQQAAA== accountexpires:9223372036854775807 logonCount:48 sAMAccountName:sqladmin sAMAccountType:805306368 userPrincipalName:sqladmin@ objectCategory:CN=Person,DC=com dscorePropagationData: dscorePropagationData: lastlogontimestamp:131224588677494199 #searchresult search:2 result:0success #numResponses:7 #numEntries:6
以上是大佬教程为你收集整理的Centos7+Openvpn使用Windows AD验证登陆全部内容,希望文章能够帮你解决Centos7+Openvpn使用Windows AD验证登陆所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。