Skip to main content

An auth verify script for OpenVPN to authenticate via LDAP.

Project description

Python OpenVPN LDAP Auth

PyPI license PyPI status PyPI version shields.io PyPI pyversions main build status

An auth verify script for OpenVPN to authenticate via LDAP. Each VPN login is forwarded to this script and the script in turn attempts a simple bind against the specified LDAP server. When the bind is successful the script returns exit code 0 telling OpenVPN that the credentials are valid.

Although there already is the openvpn-auth-ldap plugin I felt the need to write this auth script. First the source code is more accessible due to it being written in Python. Second it offers more possibilities regarding OpenVPN's static-challenge parameter (see below).

The downsides of using a script instead of a C-plugin are less performance and slightly reduced security. If you are fine with that go ahead.

Quickstart

Install the package via pip:

pip install openvpn-ldap-auth

Then create /etc/openvpn/ldap.yaml:

ldap:
  url: 'ldaps://first.ldap.tld:636/ ldaps://second.ldap.tld:636/'
  bind_dn: 'uid=readonly,dc=example,dc=org'
  password: 'somesecurepassword'
  timeout: 5 # (optional) wait this many seconds for connection and response
authorization:
  base_dn: 'ou=people,dc=example,dc=org'
  search_filter: '(uid={})' # optional, {} will be replaced with the username
  static_challenge: 'ignore' # optional, other values are prepend, append 

Find out where openvpn-ldap-auth lives:

which openvpn-ldap-auth

Add the following line to your OpenVPN server configuration:

script-security 2
auth-user-pass-verify /path/to/openvpn-ldap-auth via-file

Now you can start your OpenVPN server and try to connect with a client.

Installation

Single Executable

For those who wish to sacrifice a little more performance for not having to install or compile a Python interpreter or you just want to quickly try the script out this option might be interesting. Each release also has executables attached to it: openvpn-ldap-auth-<distro>-<distro-version>-<arch>. They are created via PyInstaller on the respective Linux distro, version and architecture. They might also work on other distros provided they use the same or a later libc version that the distro uses.

Important: /tmp must not be read only.

From Source

Download or clone this repository, cd into it and run

pip install poetry
poetry install --no-dev
poetry build
pip install --upgrade --find-links=dist openvpn-ldap-auth

Exchange pip with pip3 if applicable.

Configuration

Static Challenge

If you want users to provide a normal password combined with a one-time-password OpenVPN's static-challenge parameter is what you are looking for.

In the client configuration you need to add a line like

static-challenge "Enter OTP" 1 # use 0 if the OTP should not be echoed

When connecting you will now be prompted for your password and your OTP. By setting authorization.static_challenge you can now influence how the OTP is used:

  • ignore (default): Just use the password for binding.
  • prepend: Prepend the OTP to your password and use that for binding.
  • append: Append the OTP to your password and use that for binding.

The last two options are useful if your LDAP server offers internal 2FA validation like oath-ldap.

Using via-env

In the server configuration the following alternative setting is also supported but discouraged:

auth-user-pass-verify /path/to/openvpn-ldap-auth via-env

OpenVPN's manpage about that topic:

If method is set to "via-env", OpenVPN will call script with the environmental variables username and password set to the username/password strings provided by the client. Be aware that this method is insecure on some platforms which make the environment of a process publicly visible to other unprivileged processes.

If you still want to use via-env make sure to set script-security to 3.

Running Tests

First make sure to install Docker with docker-compose and tox. Then run

tox

To run a specific Python-OpenVPN combination run something like

tox -e python38-openvpn25

To see a full list of current environment see the tool.tox section in pyproject.toml.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

openvpn_ldap_auth-0.1.7.tar.gz (6.8 kB view details)

Uploaded Source

Built Distribution

openvpn_ldap_auth-0.1.7-py3-none-any.whl (7.2 kB view details)

Uploaded Python 3

File details

Details for the file openvpn_ldap_auth-0.1.7.tar.gz.

File metadata

  • Download URL: openvpn_ldap_auth-0.1.7.tar.gz
  • Upload date:
  • Size: 6.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.2 CPython/3.12.2 Linux/6.5.0-1016-azure

File hashes

Hashes for openvpn_ldap_auth-0.1.7.tar.gz
Algorithm Hash digest
SHA256 67855e0b713dfc3cbc2cca400665e0d26c0121d5e387479b0ab35ff0b715e7d5
MD5 83ef91c881845fe9152c04aa33bb8b76
BLAKE2b-256 b0d7f90e3f88097c2df5ac36b6da5ae40d39e679f93632467cfe9b4e51a7965b

See more details on using hashes here.

File details

Details for the file openvpn_ldap_auth-0.1.7-py3-none-any.whl.

File metadata

  • Download URL: openvpn_ldap_auth-0.1.7-py3-none-any.whl
  • Upload date:
  • Size: 7.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.2 CPython/3.12.2 Linux/6.5.0-1016-azure

File hashes

Hashes for openvpn_ldap_auth-0.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 339f216a4089e4015d9e6e35841859b3e8334381f84806ef6c6f2af2fb39b235
MD5 e6db89140ac57d70f2cc0be82dcc433d
BLAKE2b-256 5644f6c1a294c96f5e3672deb9da041f4bdf6a267fa56db86bdd1449fba174f3

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page