From 3234451f9f834f08d4072dd00c2998f694c6047b Mon Sep 17 00:00:00 2001 From: Josh North Date: Wed, 3 Dec 2014 13:46:31 -0500 Subject: [PATCH] Update README.md --- README.md | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ce6b66..aa00ac5 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,32 @@ ovpn-ad-sync ============ -Script to synchronize AD/LDAP users with OpenVPN config files and email user certificates and a setup guide to end users +Script to synchronize AD/LDAP users with OpenVPN config files and email user certificates and a setup guide to end users. This script is a very rudimentary hack to fill my purpose. It may or may not work for you. It could also be put to use with LDAP with minimal modification even though I wrote it for an Active Directory environment. + +Theory: +Basically, the script should be run on a cron schedule. At run, it searches all users in a specified AD group. It then checks to see if subdirectories exist for the user, if not, it decides to create them. It then loops through to look for directories that do not have a corresponding user in the AD list and deletes them. It technically (at this point) does not revoke access and restart the vpn, this is IMPORTANT, because in my setup we are authenticating against AD anyway as a second layer. This is not fully secure but like I said, it is a major work in progress. + +Requirements: +Ubuntu 14+ (will likely work with plenty of other systems, but I wrote it on and for Ubuntu server) +sendmail (must be configured correctly - I used ssmtp and wrote this script as such) +sharutils +easy-rsa +ldap-utils +openvpn-auth-ldap + +Setup: +The below instructions make the following assumptions. If you use a different setup you will need to modify accordingly. +1. Install and configure all pre-requisites listed above +2. +2. cp -R /usr/share/easy-rsa /etc/openvpn/rsa +3. cp -RCreate openvpn server config file +make ldap config file +edit /etc/openvpn/rsa/vars correctly +in rsa dir do source ./vars, build-ca, build-dh, and build-key-server +MAKE SURE you use 2048 not 1024 it will break script and i don;t care becuase it's more secure anyway +copy script file to /usr/local/bin/oas.sh ansd chmod +x +make directory for client files (/etc/openvpn/oas_clients) +copy template file for clients into client directory +edit oas.sh to iproper parameters +copy user guide to client directory +add to cron every 15 minutes or whatever