Gaining authentication from multiple LDAP servers
To gain authentication for a service from multiple different LDAP servers and LDAP trees, you must create two different LDAP authentication profiles by using the following commands:
vyatta@vyatta#set resources auth ldap example.com url ldap://ldap.example.com
vyatta@vyatta#set resources auth ldap example.com ...
vyatta@vyatta#set resources auth ldap emea.example.com url ldap://ldap.emea.example.com
vyatta@vyatta#set resources auth ldap emea.example.com ...
To specify both LDAP profiles in the configuration of a service authentication, use the following commands:
vyatta@vyatta#set interfaces openvpn vtunX auth ldap example.com
vyatta@vyatta#set interfaces openvpn vtunX auth ldap emea.example.com
When a service user tries to authenticate the OpenVPN vtunX interface, the provided credentials are authenticated against all the provided LDAP profiles.
A single access-granting LDAP profile is sufficient for the service user to successfully establish the OpenVPN connection. Access is not required to be granted by all the configured LDAP profiles.
To allow SSL-VPN clients to connect without a TLS client certificate that is specific to an end user, you must set the client-cert-not-required option. Even if client certificates were created, they are not included in any SSL-VPN client bundles.
# set interfaces openvpn vtunX client-cert-not-required