I believe I have a working configuration for performing auth-user-pass validation against Active Directory.
I was, shall we say, inspired by these references:
This was tested against a Samba domain, but I believe it should work the same with proper Microsoft Active Directory. Here’s the ovpnldapauth.sh I came up with:
#!/bin/bash
searchDN="dc=samba,dc=lan"
searchUser="openvpn@samba.lan"
searchUserPW="password for openvpn account"
LDAPHost="xxx.xxx.xxx.xxx"
RES=$(echo "$username $password" | /usr/lib/squid/basic_ldap_auth -R -b $searchDN -D $searchUser -w $searchUserPW -f sAMAccountName=%s -h $LDAPHost)
if [ $RES = "OK" ]
then
exit 0
else
exit 1
fi
Note: For best security, the -w switch should really be a -W and have a path to a password file, as described here: Configuring a Squid Server to authenticate against Active Directory via Kerberos | Squid Web Cache wiki
Also Note: For this to work specifically with Samba, I also had to tell Samba to not require strong auth security by adding this directive to the /etc/samba/smb.conf file, in the global section:
ldap server require strong auth = No