This is a complete walkthrough for installing openvpn-als on linux, and synchronizing the user database with a windows domain controller running Active Directory. I used debian lenny, but this should work equally well with ubuntu server.
Log into your new system as root (i know, i know, but it’s easier. If you don’t feel comfortable logging in as root, just prepend sudo to all the commands below.)
First add the extra repositories to apt, and change it over from lenny to stable (ubuntu users, ignore the first line here)
- sed -i.bak ‘s#lenny#stable#’ /etc/apt/sources.list
- sed -i.bak ‘s#main#main contrib non-free#’ /etc/apt/sources.list
- aptitude update
Now install the needed dependencies:
- aptitude install sun-java6-jdk ant junit subversionand grab the current svn trunk version of ALS svn co https://openvpn-als.svn.sourceforge.net/svnroot/openvpn-als/adito/trunk /opt/openvpn-als
- ALS needs the tools.jar (about 12.5mb) that is distributed with the JDK to be placed in the $ADITO_HOME\adito\lib folder. On my system I had to do this, but you may be different…
- cp /usr/lib/jvm/java-6-sun-1.6.0.12/lib/tools.jar /opt/openvpn-als/adito/lib/
now run the installer
- cd /opt/openvpn-als && ant install
You’ll see alot of text scroll by as the javac does it’s magic, the it’ll stop and give you a web address to go to, so open a web borwser and go to the url provided. If you dont have DNS set up yet, then you can substitute the hostname for the IP fo the machine. e.g. http://192.168.1.10:28080
you should get something like this:
Only you won’t get the "use current certificate" option – you only get this if you re-run the installer.
Choose "create new certificate", and enter a passphrase, then fill in the certificate details and click next.
Step 2 – user database
Choose Active directory, and fill in the details:
Domain: Your Active directory domain, as displayed in the "active direcotry users and computers" mmc snapin
Service Account Name: this is the username of a standard user in the company.local -> users OU. It is not a full LDAP DN as the documentation suggests.
Service Account password: the password for the above account. It is recommended to set the password to never expire, and prevent the user fom changing the password when creating the account (or set it now from the account tab of the users properties).
Note that for this to work your DNS must be working, i.e. you should be able to ping dc AND dc.domain.local from your ALS server. If you have problems at this point examine the contents of the /opt/openvpn-als/adito/logs/adito.log file. I would suggest adding all your DC’s to your /etc/hosts file jic.
On the OU filter tab, you should add the OU’s that your users and groups exist in as LDAP DN strings. In my case all my users are in an OU off the root called Comany Users, and all my groups are in an OU called Company groups, so i added:
OU=Company Users,DC=company,DC=local
OU=Comapny Groups,DC=company,DC=local
On the options tab I had to increase the "Max Group Cache Objects" because we have a lot of groups, but I’d leave everything as default to start with, as you can rerun the installer if you have problems later.
On this screen you should choose an account from AD to be your openvpn-als admin account. This is the accout that you use to edit the configuration of openvpn-als. It doesn’t have to be a domain admin account, but I wouldn’t use a personal account, as multiple administrators may need to use it. I created a new user called aadmin for the task. NOTE: I wouldn’t use the same account that you used above, as you may have to (in fact you should) change the password of this user every so often.
Step 4 – Webserver.
Choose the ports & IP that you ant the server to listen on. If you leave the default 443, you will be able to browse to the site without having to specify a port, i.e. https://yourserver, instead of https://yourserver:portnumber
Step 5 – Proxies
Configure proxy information as needed
Step 6 – Summary
Check over the information provided, and finish.
At this point the installer will finish:
and you will get your cursor back in the terminal window.
Now we need to build the client and install the service. These are both done with ant. To see the possible ant options, use the command
- ant -projecthelp
from within the /opt/adito-svn folder:
We need to install the agent, and the service, so run the follwing commands, one after the other:
- ant install-agent
- ant install-service
- now you should be able to start the service with the command
- /etc/init.d/openvpn-als start
and browse to https://yourserver to log into openvpn-als (with the aadmin superuser from earlier).
Now you’ll need to configure some applications…
Murray says
Thankyou very much for this tutorial it has helped me numerous times in trying to set up openvpn-als. A couple of hints for those who may be stuck on some things.
to find out where tools.jar is simply type in
locate tools.jar
at the very last command (/etc/init.d/openvpn-als start) change openvpn-als to adito so it reads
/etc/init.d/adito start
Graeme Lockett says
Firstly thanks for this.
Some additional notes
If you are installing on a 64 bit Linux server you are likely to get this error
exec: 370: install/platforms/linux/x86/wrapper: not found
If you edit /opt/adito.svn/adito/build.xml and change all entries of x86 to x86-64 so it works on 64 bit Ubuntu
When you exit you will need alter /opt/adito.svn/adito/conf/wrapper.conf and uncomment out the line wrapper.java.additional.2=-Dfile.encoding=UTF-8 or edit
wrapper.conf.base and locate the line that reads #wrapper.java.additional.2=-Dfile.encoding=UTF-8, remove the # and save (Ctrl+X)
Andre says
Hi, do you know where I can find out how to change the look of our logon screen. I am also wanting to add some external links to it.
Ramesh says
Hi,
Do you know where I can change the landing page(https://localhost/)instead of showLogon.do page.I want to change adito home landing page
Edouard says
hi, i have set openvpnals as it is indicated, everything run well but after setting i have no result when browsing http://hostname so i cant insatall applications. can someone help me pleas?