OpenVPN auth-user-pass to Active Directory

I believe I have a working configuration for performing auth-user-pass validation against Active Directory.

I was, shall we say, inspired by these references:

This was tested against a Samba domain, but I believe it should work the same with proper Microsoft Active Directory. Here’s the I came up with:

searchUserPW="password for openvpn account"

RES=$(echo "$username $password" | /usr/lib/squid/basic_ldap_auth -R -b $searchDN -D $searchUser -w $searchUserPW -f sAMAccountName=%s -h $LDAPHost)

if [ $RES = "OK" ]
 exit 0
 exit 1

Note: For best security, the -w switch should really be a -W and have a path to a password file, as described here: Configuring a Squid Server to authenticate against Active Directory via Kerberos | Squid Web Cache wiki

Also Note: For this to work specifically with Samba, I also had to tell Samba to not require strong auth security by adding this directive to the /etc/samba/smb.conf file, in the global section:
ldap server require strong auth = No

1 Like