This guide covers how to configure Anybus Defender for VPN Connectivity with clients, where users accounts are authenticated through an LDAP server. Typical server with LDAP connectivity is Microsoft Active Directory - in this guide an open-source LDAP server on Ubuntu Linux is used.
Anybus Defender 6000 and 8000 series with PRO licenses
Ubuntu Linux as an LDAP server - in this guide
Ubuntu Linux should be assigned a static IP address to its specific interface.
In file "/etc/netplan/<*.yaml.dpkg-backup>", add the following configurations:
network:
version: 2
ethernets:
<interface>:
dhcp4: no
addresses: [0.0.0.0/0]
gateway4: 0.0.0.0
routes:
- to: default
via: 0.0.0.0
nameservers:
addresses: [0.0.0.0, 0.0.0.0]
To install the LDAP server
sudo apt install slapd && sudo apt install ldap-utilsThen, start the package configuration
sudo dpkg-reconfigure slapdA text-based dialog will appear prompting the user with options to configure the Slapd service. The DNS domain name, Organization name and Administrator password define how the LDAP is configured and initialized.
Once installed, adding a firewall rule to allow traffic from the default port (389) can fix timeout and authentication errors.
sudo ufw allow 389Before connecting with OpenVPN to the LDAP server, user and groups with password must be created.
In Bash terminal, execute the command to create a new password
slappasswdNext, a hashed string will be printed starting with {SSHA}
Create a new file-type as ".ldif" and add a new user entry
dn: uid=user_ldap,ou=people,dc=hms,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: user_ldap
sn: hms
uid: user_ldap
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/anybus
loginShell: /bin/bash
mail: [email protected]
userPassword: <slappasswd>
Save, exit back to terminal, start the server with
sudo systemctl status slapd
sudo systemctl start slapdand add the recent user entry
ldapadd -H ldap://<LDAP_server_IP-Address> -D “cn=<>,dc=<>,dc=<>” -W -f <filename>.ldif
We will follow the OpenVPN wizard to create a VPN server and select LDAP as authentication source.
In OpenVPN under "VPN", go to "Wizards" and select "LDAP" as Type of Server.
Name the LDAP server
Enter the hostname or IP-address of the LDAP server installed on Ubuntu Linux
Port as default
Search Scope Base Distinguished Name during package configuration "dc=example,dc=com"
To discover what authentication containers stored in the LDAP server database use ldapsearch in Linux terminal
ldapsearch -x -H ldap://<IP-ADDRESS_LDAP_SERVER> -b "dc=example,dc=com"This prints all recently or not recently created user(s) and group(s). Find the line describing an entry
“uid=example,ou=<examplegroup>,dc=example,dc=com”
copy and paste "ou=<examplegroup>,dc=example,dc=com" in the field of "Authentication containers"
Leave the rest of the columns empty and proceed with "Add new server"
Unless existing LDAP certificates, continue to add new CA's and add information as needed
Configure the OpenVPN server on interface, local port
Tunnel network and local network
Next, check Firewall Rules and OpenVPN rule
Find "System Logs" under "Status" and set Remote log servers to be that of the LDAP server IP-address in the "Settings" tab
"Save"
To assign user specific rules, name "Username" after the user entries in "User manager" under "System" and set scope to "Remote"
Firewall Aliases must be set for each client in "Aliases" under "Firewall"
→ "Add"
"Name"
"IP or FQDN" virtual IP-address of OpenVPN client
After, update the Common Name so it matches the alias under VPN → OpenVPN → Client Specific Overrides
Under advanced, type, "ifconfig-push 0.0.0.0 <netmask>"
Set firewall rule(s) to pass packets passing from the user to destination. This firewall rule should allow for controlling the VPN client's access to an endpoint in the network