Enhance LDAP remote database authentication

[gsanchietti]

Improve authentication flexibility for Active Directories and other LDAP configurations with unknown distinguished name (DN) setups.

This feature is essential for users who need to authenticate against LDAP directories with unique or unknown DN structures. Ensures that OpenVPN authentication is robust and adaptable to various LDAP configurations.

Purpose of the feature

• Allow custom user DN configurations for more robust LDAP authentication.
• Provide support for diverse LDAP setups, including those with non-standard DN formats.

Proposed solution

• Add a user_bind_dn field:
  • This field can override the default OpenVPN authentication logic.
  • Supports the %u placeholder, which will be replaced with the username.
  • Example: %u@domain.local where domain.local is the Active Directory domain.

Backend required changes:

1. python3-nethsec user Library: implement logic to handle the custom user_bind_dn field.
2. OpenVPN Roadwarrior authentication: update authentication mechanisms to use the new user_bind_dn field.
3. ns.users API: modify API to accept and process the user_bind_dn field.
4. mgration process: evaluate and implement necessary changes to support existing users during migration.

Frontend required changes:

1. Remove automatic configuration of LDAP parameters
2. Add user_bind_dn field: include a new field for custom user bind DN, no validation required for this field to allow maximum flexibility.

Other changes

1. documentation: document common usage scenarios to guide users in configuring the new field.

Example:

# Allows for custom DN configuration
user_bind_dn: '%u@domain.local'

[github-actions[bot]]

Testing image version: 23.05.3-ns.1.0.1-41-ge07c2589

Testing package for NS7: nethserver-firewall-migration-0.0.18-1.3.g9d1026f.ns7.noarch.rpm

[gsanchietti]

Test case 1

• Configure a new remote database connected OpenLDAP server running on NS7, do not specify the Custom user bind DN field
• Connect the OpenVPN road warrior server to the remote database
• Configure the OpenVPN road warrior with user and password authentication
• Verify the clients can connect and authenticate to the OpenVPN server

Test case 2

• Configure a new remote database connected Active Directory server running on NS7, do not specify the Custom user bind DN field
• Connect the OpenVPN road warrior server to the remote database
• Configure the OpenVPN road warrior with user and password authentication
• Verify the clients can connect and authenticate to the OpenVPN server

Test case 3

• Configure a new remote database connected Active Directory server running on NS7
• Specify the Custom user bind DN field as %u@domain
• Connect the OpenVPN road warrior server to the remote database
• Configure the OpenVPN road warrior with user and password authentication
• Verify the clients can connect and authenticate to the OpenVPN server

Test case 4

• Configure a new remote database connected Active Directory server running on NS7
• Specify the Custom user bind DN field as REALM\%u
• Connect the OpenVPN road warrior server to the remote database
• Configure the OpenVPN road warrior with user and password authentication
• Verify the clients can connect and authenticate to the OpenVPN server

Test case 5

• Repeat test case 3 with Microsoft Active Directory

Test case 6

• Repeat test case 4 with Microsoft Active Directory

Test case 7

• Configure a NS7 machine and connect it to a remote NethServer Active Directory
• Configure the OpenVPN road warrior with user and password authentication
• Migrate the machine
• Verify the user page display all Active Directory users
• Verify clients can connect and authenticate to the OpenVPN server using %u@domain as user name

Test case 8

• Repeat test case 7 with a remote Microsoft Active Directory

[gsanchietti]

Test cases 1,2,3,4,5,6 verified by Luca D.

[gsanchietti]

Test cases 7 and 8 verified by Luca D. Still, the migration could bring different configuration based on the remote AD type (Samba or Microsoft). After the migration, the user should review the following fields:

• User attribute field
• User CN field
• Custom user bind DN
• User DN