From c0d1646853631c48486441281377a6152fb5dd31 Mon Sep 17 00:00:00 2001 From: Robert Giles Date: Thu, 14 Dec 2017 10:04:48 -0600 Subject: [PATCH 1/3] Clarify documentation; this example configuration is also useful for just regular pam_yubico configuration elsewhere against AD, too. --- README | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README b/README index 3971bfd..94651be 100644 --- a/README +++ b/README @@ -358,13 +358,15 @@ logins, add the following to the top of `/etc/pam.d/login`: OpenVPN and ActiveDirectory --------------------------- +See Michael Ludvig's sample Active Directory schema extensions for YubiKey public ID attribute storage / association with a particular user account: +link:https://github.com/mludvig/yubikey-ldap/tree/master/microsoft-schema create file '/etc/pam.d/openvpn': - auth required pam_yubico.so ldap_uri=ldap://ldap-srv debug id=[Your API Client ID] yubi_attr=pager - ldapdn=dc=ad,dc=next-audience,dc=net - ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=mygroup,OU=DefaultUser,DC=adivser,DC=net)) - ldap_bind_user=bind_user ldap_bind_password=bind_password try_first_pass + auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=yubiKeyId + ldapdn=DC=contoso,DC=com + ldap_filter=(&(sAMAccountName=%u)(objectClass=user)(memberOf=CN=somegroup,DC=contoso,DC=com)) + ldap_bind_user=CN=binduser,CN=Users,DC=contoso,DC=com ldap_bind_password=bind_password try_first_pass account required pam_yubico.so create file 'openvpn.conf' From c1995a70b737337abc378266d8e0d08d69a9f4d3 Mon Sep 17 00:00:00 2001 From: Robert Giles Date: Thu, 14 Dec 2017 10:06:19 -0600 Subject: [PATCH 2/3] Typo in asciidoc syntax. --- README | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README b/README index 94651be..16c1763 100644 --- a/README +++ b/README @@ -358,8 +358,7 @@ logins, add the following to the top of `/etc/pam.d/login`: OpenVPN and ActiveDirectory --------------------------- -See Michael Ludvig's sample Active Directory schema extensions for YubiKey public ID attribute storage / association with a particular user account: -link:https://github.com/mludvig/yubikey-ldap/tree/master/microsoft-schema +See Michael Ludvig's sample Active Directory schema extensions for YubiKey public ID attribute storage / association with a particular user account: https://github.com/mludvig/yubikey-ldap/tree/master/microsoft-schema create file '/etc/pam.d/openvpn': From 504c838b5af4ff1341eb27217ea9358eac986dd0 Mon Sep 17 00:00:00 2001 From: Robert Giles Date: Thu, 14 Dec 2017 11:51:20 -0600 Subject: [PATCH 3/3] Update ldap_bind_user to wrap in brackets, in the likely case the actually bind DN will reside in an OU with spaces in the name. --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 16c1763..0e83207 100644 --- a/README +++ b/README @@ -365,7 +365,7 @@ create file '/etc/pam.d/openvpn': auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=yubiKeyId ldapdn=DC=contoso,DC=com ldap_filter=(&(sAMAccountName=%u)(objectClass=user)(memberOf=CN=somegroup,DC=contoso,DC=com)) - ldap_bind_user=CN=binduser,CN=Users,DC=contoso,DC=com ldap_bind_password=bind_password try_first_pass + [ldap_bind_user=CN=binduser,OU=Service Accounts,DC=contoso,DC=com] ldap_bind_password=bind_password try_first_pass account required pam_yubico.so create file 'openvpn.conf'