Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Gaining authentication from multiple LDAP servers

To gain authentication for a service from multiple different LDAP servers and LDAP trees, you must create two different LDAP authentication profiles by using the following commands:

vyatta@vyatta# set resources auth ldap example.com url ldap://ldap.example.com

vyatta@vyatta# set resources auth ldap example.com ... 

vyatta@vyatta# set resources auth ldap emea.example.com url ldap://ldap.emea.example.com

vyatta@vyatta# set resources auth ldap emea.example.com ...

To specify both LDAP profiles in the configuration of a service authentication, use the following commands:

vyatta@vyatta# set interfaces openvpn vtunX auth ldap example.com

vyatta@vyatta# set interfaces openvpn vtunX auth ldap emea.example.com

When a service user tries to authenticate the OpenVPN vtunX interface, the provided credentials are authenticated against all the provided LDAP profiles.

A single access-granting LDAP profile is sufficient for the service user to successfully establish the OpenVPN connection. Access is not required to be granted by all the configured LDAP profiles.

Note: The OpenVPN service authentication could be mixed with LDAP authentication profiles, local service users, or groups of local-service users.

To allow SSL-VPN clients to connect without a TLS client certificate that is specific to an end user, you must set the client-cert-not-required option. Even if client certificates were created, they are not included in any SSL-VPN client bundles.

# set interfaces openvpn vtunX client-cert-not-required