Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Gaining authentication from multiple LDAP servers

To gain authentication for a service from multiple different LDAP servers and LDAP trees, you must create two different LDAP authentication profiles by using the following commands:

vyatta@vyatta# set resources auth ldap example.com url ldap://ldap.example.com

vyatta@vyatta# set resources auth ldap example.com ... 

vyatta@vyatta# set resources auth ldap emea.example.com url ldap://ldap.emea.example.com

vyatta@vyatta# set resources auth ldap emea.example.com ...

To specify both LDAP profiles in the configuration of a service authentication, use the following commands:

vyatta@vyatta# set interfaces openvpn vtunX auth ldap example.com

vyatta@vyatta# set interfaces openvpn vtunX auth ldap emea.example.com

When a service user tries to authenticate the OpenVPN vtunX interface, the provided credentials are authenticated against all the provided LDAP profiles.

A single access-granting LDAP profile is sufficient for the service user to successfully establish the OpenVPN connection. Access is not required to be granted by all the configured LDAP profiles.

Note: The OpenVPN service authentication could be mixed with LDAP authentication profiles, local service users, or groups of local-service users.

To allow SSL-VPN clients to connect without a TLS client certificate that is specific to an end user, you must set the client-cert-not-required option. Even if client certificates were created, they are not included in any SSL-VPN client bundles.

# set interfaces openvpn vtunX client-cert-not-required