OpenVPN - authentication against active directory

rel2001

Hi,
I have implemented a VPN solution based on OpenVPN with shared key security. I would like to add authentication against active directory (Internet Authentication Service). I know that ldap authentication is planned to be part of version 1.3. Nevertheless, I have seen some posts which describes some workarounds.
Is ther anything someone can recommend?
BTW, Is the openVPN version in pfsense the same as the latest openVPN version at www.openvpn.org?

Thanks for any help,

Ariel

GruensFroeschli

Did you read this sticky?:
http://forum.pfsense.org/index.php/topic,4105.0.html
This is for with FreeRADIUS.

http://openvpn.net/howto.html#auth

If you search with google i'm sure you'll find more info on how to set up authentication against ldap.

fogogg

@GruensFroeschli:

Did you read this sticky?:
http://forum.pfsense.org/index.php/topic,4105.0.html
This is for with FreeRADIUS.

I just completed this setup as described in the sticky. My eventual goal is to change the settings in the pam file to an internal Windows RADIUS server authenticating directly from our Active Directory. Is this possible or as simple as I'd like it to be, or am I stuck doing something like the link below if I want VPN users to authenticate with AD?

http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO

GruensFroeschli

Well why use the FreeRADIUS PAM module when you could use directly an ldap-module?

Something like this:
http://code.google.com/p/openvpn-auth-ldap/

fogogg

That looks fantastic if I can make it work, thanks very much.

rel2001

@GruensFroeschli:

Well why use the FreeRADIUS PAM module when you could use directly an ldap-module?

Something like this:
http://code.google.com/p/openvpn-auth-ldap/

I have looked at it and I am unfortunately not very familiar with compile issues. Is there an already compiled version for FreeBSD which I can download and configure?

rel2001

Hi,
finally I found the relevant packages for the ldap authentication and installed them. Unfortunately The Plugin does not load up due to a missing library which indeed does not reside on my installation.
I have seen similar behavior described in the forum and the recommendation was to reinstall openvpn.
My question is: if I reinstall openvpn (pk_ad -r openvpn) do I loose my current openvpn configuration?
In addition I would like to know if there are any differneces regarding security between the radius implementation and the ldap implementation.
Thanks in advance
Ariel