Skip to content

Commit

Permalink
Merge pull request #31 from wheelybird/cacert_fix
Browse files Browse the repository at this point in the history
Cacert fix
  • Loading branch information
wheelybird authored Mar 9, 2020
2 parents dfc1412 + 0f9e2d7 commit fa8b91a
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 4 deletions.
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,10 @@ Configuration is via environmental variables. Here's a list, along with the def
* `LDAP_BIND_USER_PASS` (_undefined_): The password for the bind user.
* `LDAP_FILTER` (_undefined_): A filter to apply to LDAP lookups. This allows you to limit the lookup results and thereby who will be authenticated. e.g. `(memberOf=cn=staff,cn=groups,cn=accounts,dc=example,dc=org)`. See [Filtering](#Filtering) for more information.
* `LDAP_LOGIN_ATTRIBUTE` (uid): The LDAP attribute used for the authentication lookup, i.e. which attribute is matched to the username when you log into the OpenVPN server.
* `LDAP_TLS` (false): Set to 'true' to enable a TLS connection to the LDAP server.
* `LDAP_ENCRYPT_CONNECTION` (off): Options: `on|starttls|off`. This sets the 'ssl' option in nslcd. `on` will connect to the LDAP server over TLS (SSL). `starttls` will initially connect unencrypted and negotiate a TLS connection if one is available. `off` will disable SSL/TLS.
* `LDAP_TLS` (false): Changes (overrides) `LDAP_ENCRYPT_CONNECTION` to `starttls` (this setting is for backwards-compatibility with previous versions).
* `LDAP_TLS_VALIDATE_CERT` (true): Set to 'true' to ensure the TLS certificate can be validated. 'false' will ignore certificate issues - you might need this if you're using a self-signed certificate and not passing in the CA certificate.
* `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server. You'll need this to enable TLS if using self-signed certificates.
* `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server. You'll need this to enable TLS when using self-signed certificates.

* `ACTIVE_DIRECTORY_COMPAT_MODE` (false): Sets `LDAP_LOGIN_ATTRIBUTE` to `sAMAccountName` and `LDAP_FILTER` to `(objectClass=user)`, which allows LDAP lookups to work with Active Directory. This will override any value you've manually set for those settings.

Expand Down Expand Up @@ -72,7 +73,7 @@ docker run \
-e "LDAP_URI=ldap://ldap.mycompany.com" \
-e "LDAP_BASE_DN=dc=mycompany,dc=com" \
--cap-add=NET_ADMIN \
wheelybird/openvpn-ldap-otp:v1.1
wheelybird/openvpn-ldap-otp:v1.2
```

* `--cap-add=NET_ADMIN` is necessary; the container needs to create the tunnel device and create iptable rules.
Expand Down
5 changes: 5 additions & 0 deletions files/configuration/set_defaults.sh
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,9 @@ if [ "${DEBUG}x" == "x" ]; then export DEBUG="false";
if [ "${LOG_TO_STDOUT}x" == "x" ]; then export LOG_TO_STDOUT="true"; fi
if [ "${ENABLE_OTP}x" == "x" ]; then export ENABLE_OTP="false"; fi
if [ "${LDAP_LOGIN_ATTRIBUTE}x" == "x" ]; then export LDAP_LOGIN_ATTRIBUTE="uid"; fi
if [ "${LDAP_ENCRYPT_CONNECTION}x" == "x" ]; then export LDAP_ENCRYPT_CONNECTION="off"; fi
if [ "${LDAP_TLS}x" == "x" ]; then export LDAP_TLS="false"; fi
if [ "${LDAP_TLS}" == 'true' ]; then export LDAP_ENCRYPT_CONNECTION="starttls"; fi
if [ "${LDAP_TLS_VALIDATE_CERT}x" == "x" ]; then export LDAP_TLS_VALIDATE_CERT="true"; fi
if [ "${KEY_LENGTH}x" == "x" ]; then export KEY_LENGTH="2048"; fi
if [ "${FAIL2BAN_ENABLED}x" == "x" ]; then export FAIL2BAN_ENABLED="false"; fi
Expand All @@ -60,3 +62,6 @@ if [ "$LOG_TO_STDOUT" == "true" ]; then
else
LOG_FILE="${LOG_DIR}/openvpn.log"
fi



6 changes: 5 additions & 1 deletion files/configuration/setup_ldap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,10 @@ ldap_version 3
EoLDAP

if [ "${LDAP_TLS}" == "true" ] ; then
if [ "${LDAP_ENCRYPT_CONNECTION}" == "starttls" ] ; then
echo "ssl start_tls" >> $LDAP_CONFIG
elif [ "${LDAP_ENCRYPT_CONNECTION}" == "on" ] ; then
echo "ssl on" >> $LDAP_CONFIG
fi

if [ "${LDAP_TLS_VALIDATE_CERT}" == "false" ] ; then
Expand All @@ -27,6 +29,8 @@ fi
if [ "${LDAP_TLS_CA_CERT}x" != "x" ] ; then
echo "$LDAP_TLS_CA_CERT" > $OPENVPN_DIR/ldap-ca.crt
echo "tls_cacertfile ${OPENVPN_DIR}/ldap-ca.crt" >> $LDAP_CONFIG
else
echo "tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt" >> $LDAP_CONFIG
fi

if [ "${ACTIVE_DIRECTORY_COMPAT_MODE}" == "true" ]; then
Expand Down

0 comments on commit fa8b91a

Please sign in to comment.