From f89c98a2596945053ecdd8a2c82052b8d625b3c3 Mon Sep 17 00:00:00 2001 From: Brian Lycett <brian@wheelybird.co.uk> Date: Mon, 9 Mar 2020 13:57:10 +0000 Subject: [PATCH 1/3] Use the system CA bundle when not using user-supplied CA certs. --- files/configuration/setup_ldap.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/files/configuration/setup_ldap.sh b/files/configuration/setup_ldap.sh index 5a315e7..141ffe0 100644 --- a/files/configuration/setup_ldap.sh +++ b/files/configuration/setup_ldap.sh @@ -27,6 +27,8 @@ fi if [ "${LDAP_TLS_CA_CERT}x" != "x" ] ; then echo "$LDAP_TLS_CA_CERT" > $OPENVPN_DIR/ldap-ca.crt echo "tls_cacertfile ${OPENVPN_DIR}/ldap-ca.crt" >> $LDAP_CONFIG +else + echo "tls_cacertfile /etc/pki/tls/certs/ca-bundle.crt" >> $LDAP_CONFIG fi if [ "${ACTIVE_DIRECTORY_COMPAT_MODE}" == "true" ]; then From 07369560365e0b72b72c3dde7ac0d4727da63ee3 Mon Sep 17 00:00:00 2001 From: Brian Lycett <brian@wheelybird.co.uk> Date: Mon, 9 Mar 2020 13:57:46 +0000 Subject: [PATCH 2/3] Update version in the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4c2809d..0f814e0 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ docker run \ -e "LDAP_URI=ldap://ldap.mycompany.com" \ -e "LDAP_BASE_DN=dc=mycompany,dc=com" \ --cap-add=NET_ADMIN \ - wheelybird/openvpn-ldap-otp:v1.1 + wheelybird/openvpn-ldap-otp:v1.2 ``` * `--cap-add=NET_ADMIN` is necessary; the container needs to create the tunnel device and create iptable rules. From 0f9e2d7ed82b9114ad1d40f409e5e8cf835cbf68 Mon Sep 17 00:00:00 2001 From: Brian Lycett <brian@wheelybird.co.uk> Date: Mon, 9 Mar 2020 14:25:22 +0000 Subject: [PATCH 3/3] Allow different TLS modes --- README.md | 5 +++-- files/configuration/set_defaults.sh | 5 +++++ files/configuration/setup_ldap.sh | 4 +++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0f814e0..c77a7ed 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,10 @@ Configuration is via environmental variables. Here's a list, along with the def * `LDAP_BIND_USER_PASS` (_undefined_): The password for the bind user. * `LDAP_FILTER` (_undefined_): A filter to apply to LDAP lookups. This allows you to limit the lookup results and thereby who will be authenticated. e.g. `(memberOf=cn=staff,cn=groups,cn=accounts,dc=example,dc=org)`. See [Filtering](#Filtering) for more information. * `LDAP_LOGIN_ATTRIBUTE` (uid): The LDAP attribute used for the authentication lookup, i.e. which attribute is matched to the username when you log into the OpenVPN server. - * `LDAP_TLS` (false): Set to 'true' to enable a TLS connection to the LDAP server. + * `LDAP_ENCRYPT_CONNECTION` (off): Options: `on|starttls|off`. This sets the 'ssl' option in nslcd. `on` will connect to the LDAP server over TLS (SSL). `starttls` will initially connect unencrypted and negotiate a TLS connection if one is available. `off` will disable SSL/TLS. + * `LDAP_TLS` (false): Changes (overrides) `LDAP_ENCRYPT_CONNECTION` to `starttls` (this setting is for backwards-compatibility with previous versions). * `LDAP_TLS_VALIDATE_CERT` (true): Set to 'true' to ensure the TLS certificate can be validated. 'false' will ignore certificate issues - you might need this if you're using a self-signed certificate and not passing in the CA certificate. - * `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server. You'll need this to enable TLS if using self-signed certificates. + * `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server. You'll need this to enable TLS when using self-signed certificates. * `ACTIVE_DIRECTORY_COMPAT_MODE` (false): Sets `LDAP_LOGIN_ATTRIBUTE` to `sAMAccountName` and `LDAP_FILTER` to `(objectClass=user)`, which allows LDAP lookups to work with Active Directory. This will override any value you've manually set for those settings. diff --git a/files/configuration/set_defaults.sh b/files/configuration/set_defaults.sh index 3683c9e..6356d01 100644 --- a/files/configuration/set_defaults.sh +++ b/files/configuration/set_defaults.sh @@ -47,7 +47,9 @@ if [ "${DEBUG}x" == "x" ]; then export DEBUG="false"; if [ "${LOG_TO_STDOUT}x" == "x" ]; then export LOG_TO_STDOUT="true"; fi if [ "${ENABLE_OTP}x" == "x" ]; then export ENABLE_OTP="false"; fi if [ "${LDAP_LOGIN_ATTRIBUTE}x" == "x" ]; then export LDAP_LOGIN_ATTRIBUTE="uid"; fi +if [ "${LDAP_ENCRYPT_CONNECTION}x" == "x" ]; then export LDAP_ENCRYPT_CONNECTION="off"; fi if [ "${LDAP_TLS}x" == "x" ]; then export LDAP_TLS="false"; fi +if [ "${LDAP_TLS}" == 'true' ]; then export LDAP_ENCRYPT_CONNECTION="starttls"; fi if [ "${LDAP_TLS_VALIDATE_CERT}x" == "x" ]; then export LDAP_TLS_VALIDATE_CERT="true"; fi if [ "${KEY_LENGTH}x" == "x" ]; then export KEY_LENGTH="2048"; fi if [ "${FAIL2BAN_ENABLED}x" == "x" ]; then export FAIL2BAN_ENABLED="false"; fi @@ -60,3 +62,6 @@ if [ "$LOG_TO_STDOUT" == "true" ]; then else LOG_FILE="${LOG_DIR}/openvpn.log" fi + + + diff --git a/files/configuration/setup_ldap.sh b/files/configuration/setup_ldap.sh index 141ffe0..e56ea5d 100644 --- a/files/configuration/setup_ldap.sh +++ b/files/configuration/setup_ldap.sh @@ -16,8 +16,10 @@ ldap_version 3 EoLDAP -if [ "${LDAP_TLS}" == "true" ] ; then +if [ "${LDAP_ENCRYPT_CONNECTION}" == "starttls" ] ; then echo "ssl start_tls" >> $LDAP_CONFIG +elif [ "${LDAP_ENCRYPT_CONNECTION}" == "on" ] ; then + echo "ssl on" >> $LDAP_CONFIG fi if [ "${LDAP_TLS_VALIDATE_CERT}" == "false" ] ; then