Script to synchronize AD/LDAP users with OpenVPN config files and email user certificates and a setup guide to end users. This script is a very rudimentary hack to fill my purpose. It may or may not work for you. It could also be put to use with LDAP with minimal modification even though I wrote it for an Active Directory environment.
This script is (as of today, 2014-12-03) in *fully-working beta status*. It currently does not delete or revoke certificates but will in the near (but unknown) future.
Basically, the script should be run on a cron schedule. At run, it searches all users in a specified AD group. It then checks to see if subdirectories exist for the user, if not, it decides to create them. It then loops through to look for directories that do not have a corresponding user in the AD list and deletes them. It technically (at this point) does not revoke access and restart the vpn, this is IMPORTANT, because in my setup we are authenticating against AD anyway as a second layer.
This is not fully secure but like I said, it is a major work in progress.
5. We assume you want your rsa key infrastructure to live under the OpenVPN config directory in /etc
6. We assume your public IP is 66.66.66.66 - obviously this needs to be changed in the template file in the clients directory.
7. We assume your local network is 192.168.1.0/24 and your Active Directory or LDAP servers reside at .21 and .22 in this network.
8. We assume that you will set up a group in Active Directory called "OpenVPNUsers" - any users in this group will have files generated and emailed automatically.
12. Copy main program into place `sudo cp /tmp/ovpn-ad-sync/ovpn-ad-sync.sh /usr/local/bin`
13. Edit main program variables - IMPORTANT! `sudo nano /usr/local/bin/ovpn-ad-sync.sh`
14. Allow program to execute `sudo chmod +x /usr/local/bin/ovpn-ad-sync.sh`
15. On your Active Directory, make sure you have created a group (by default, OpenVPNUsers).
16. On your Active Directory, make sure the oas_user exists and has a proper password set.
17. Check the rest of the items in the assumptions list above and double-check they are all checked before running.
18. All checked? Let's add it to cron. `sudo crontab -e` and add a line like this `0,10,20,30,40,50 * * * * /usr/local/bin/ovpn-ad-sync.sh >/dev/null 2>&1`
19. Now go to Active Directory and add a new user, set a valid email address for them, and add them to the group. Within 10 minutes that email should receive a message with the config and user guide attached!