OpenVPN with client certificate verification + LDAP authentication

Hello!

I tried to get OpenVPN to authenticate against AD following the manual here: OpenVPN auth-user-pass to Active Directory

When configured as documented the first error you run into is
Options error: --auth-user-pass-verify script fails with '/var/ipfire/ovpnldapauth.sh': No such file or directory (errno=2)

This seems to be correctable by changing:
auth-user-pass-verify /var/ipfire/`ovpnldapauth`.sh via-env
to
auth-user-pass-verify /var/ipfire/ovpnldapauth.sh via-env

resulting in:
openvpnserver[4686]: auth_user_pass_verify_script = '/var/ipfire/ovpnldapauth.sh'

Next hurdle is the OVPN Authentication script missing the closing round brackets in the RES call. The script itself also needs some small optimizations, the search user and password should be surrounded by quotation marks to allow spaces in DN and password, otherwise you run into “Too many arguments”.

Also, the user of the script must be nobody, otherwise OpenVPN seems to be unable to call the script, which leads to using -W and moving the password for the binding user over to another file.

I edited the Wiki with my findings, does anyone of you mind to check it if things are correct?

Thanks,
Alex

It’s been a very long while since I was even thinking about this. I don’t currently have the set up to test, but the wiki page you made looks amazing. I’m sorry that my script caused difficulties for you. It’s been so long, I can’t even begin to justify why I did anything.

without you Greg, I would not be able to get it running in first instance. I really appreciated your pioneering here. I will replicate the installation to other systems and maybe fiddle with the password file to get this also incorporated and documented. I am at the moment struggling with VTI and routing w/o NAT, let’s see, maybe I will update another manual soon

Cheers,
Alex