This is a complete walkthrough for installing openvpn-als on linux, and synchronizing the user database with a windows domain controller running Active Directory. I used debian lenny, but this should work equally well with ubuntu server.
Log into your new system as root (i know, i know, but it’s easier. If you don’t feel comfortable logging in as root, just prepend sudo to all the commands below.)
First add the extra repositories to apt, and change it over from lenny to stable (ubuntu users, ignore the first line here)
- sed -i.bak ‘s#lenny#stable#’ /etc/apt/sources.list
- sed -i.bak ‘s#main#main contrib non-free#’ /etc/apt/sources.list
- aptitude update
Now install the needed dependencies:
- aptitude install sun-java6-jdk ant junit subversionand grab the current svn trunk version of ALS svn co https://openvpn-als.svn.sourceforge.net/svnroot/openvpn-als/adito/trunk /opt/openvpn-als
- ALS needs the tools.jar (about 12.5mb) that is distributed with the JDK to be placed in the $ADITO_HOME\adito\lib folder. On my system I had to do this, but you may be different…
- cp /usr/lib/jvm/java-6-sun-188.8.131.52/lib/tools.jar /opt/openvpn-als/adito/lib/
now run the installer
- cd /opt/openvpn-als && ant install
You’ll see alot of text scroll by as the javac does it’s magic, the it’ll stop and give you a web address to go to, so open a web borwser and go to the url provided. If you dont have DNS set up yet, then you can substitute the hostname for the IP fo the machine. e.g. http://192.168.1.10:28080
Only you won’t get the "use current certificate" option – you only get this if you re-run the installer.
Choose "create new certificate", and enter a passphrase, then fill in the certificate details and click next.
Domain: Your Active directory domain, as displayed in the "active direcotry users and computers" mmc snapin
Service Account Name: this is the username of a standard user in the company.local -> users OU. It is not a full LDAP DN as the documentation suggests.
Service Account password: the password for the above account. It is recommended to set the password to never expire, and prevent the user fom changing the password when creating the account (or set it now from the account tab of the users properties).
Note that for this to work your DNS must be working, i.e. you should be able to ping dc AND dc.domain.local from your ALS server. If you have problems at this point examine the contents of the /opt/openvpn-als/adito/logs/adito.log file. I would suggest adding all your DC’s to your /etc/hosts file jic.
On the OU filter tab, you should add the OU’s that your users and groups exist in as LDAP DN strings. In my case all my users are in an OU off the root called Comany Users, and all my groups are in an OU called Company groups, so i added:
On the options tab I had to increase the "Max Group Cache Objects" because we have a lot of groups, but I’d leave everything as default to start with, as you can rerun the installer if you have problems later.
On this screen you should choose an account from AD to be your openvpn-als admin account. This is the accout that you use to edit the configuration of openvpn-als. It doesn’t have to be a domain admin account, but I wouldn’t use a personal account, as multiple administrators may need to use it. I created a new user called aadmin for the task. NOTE: I wouldn’t use the same account that you used above, as you may have to (in fact you should) change the password of this user every so often.
Step 4 – Webserver.
Choose the ports & IP that you ant the server to listen on. If you leave the default 443, you will be able to browse to the site without having to specify a port, i.e. https://yourserver, instead of https://yourserver:portnumber
Step 5 – Proxies
Configure proxy information as needed
Step 6 – Summary
Check over the information provided, and finish.
At this point the installer will finish:
and you will get your cursor back in the terminal window.
Now we need to build the client and install the service. These are both done with ant. To see the possible ant options, use the command
- ant -projecthelp
We need to install the agent, and the service, so run the follwing commands, one after the other:
- ant install-agent
- ant install-service
- now you should be able to start the service with the command
- /etc/init.d/openvpn-als start
and browse to https://yourserver to log into openvpn-als (with the aadmin superuser from earlier).
Now you’ll need to configure some applications…