I have been trying to integrate openvpn with Freeipa, general integration (i.e using IPA user password) works fine, my issue is connecting it with 2FA (OTP), without writing an external script it is not possible to use OTP + IPA + openvpn as there is no mechanism to ask for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor - reason are explained in this reddit post ->


I was advised however that openvpn-auth-ldap can be used as its setup so you can input PASS+OTPTOKEN as the password field,

What I do not understand what to enter in the /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I need using ldapsearch with similar syntax to

# ldapsearch -ZZ -W -L ldap://ipa.example.org -b dc=example,dc=org -D uid=testuser,cn=users,cn=accounts,dc=example,dc=org

However I found using this syntax I just got the error

" ldap_start_tls: Operations error (1), additional info: SSL connection already established"

I have found working commands to query LDAP such as

# ldapsearch   -LL  -Y GSSAPI

However I am really not sure what info I need to get.

The config for auth-ldap is at the end of the message, the only parts I think I know are
(btw the ipa server is called ipa1.morgan.kvm)

URL ldap://ipa1.morgan.kvm
TLSCACertFile   /etc/ipa/ca.crt

(this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc

Can anyone help ?

The config is below

        # LDAP server URL
        URL             ldap://ipa1.morgan.kvm

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        # BindDN                uid=Manager,ou=People,dc=example,dc=com

        # Bind Password
        # Password      SecretPassword

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        TLSEnable       yes

        # Follow LDAP Referrals (anonymously)
        FollowReferrals yes

        # TLS CA Certificate File
        TLSCACertFile   /etc/ipa/ca.crt

        # TLS CA Certificate Directory
        TLSCACertDir    /etc/ssl/certs

        # Client Certificate and key
        # If TLS client authentication is required
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem

        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite        ALL:!ADH:@STRENGTH

        # Base DN
        BaseDN          "ou=People,dc=example,dc=com"

        # User Search Filter
        SearchFilter    "(&(uid=%u)(accountStatus=active))"

        # Require Group Membership
        RequireGroup    false

        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users

                BaseDN          "ou=Groups,dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember
                # Add group members to a PF table (disabled)
                #PFTable        ips_vpn_eng