openvpn: Add required configuration for LDAP auth

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

openvpn/init.sls

@@ -150,3 +150,30 @@ Cleanup /etc/openvpn/{{ netname }}:
     {% endif %}
   {% endif %}
 {% endfor %}
+
+
+#
+# OPS VPN?
+#
+{% if 'ops-vpn' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', [])  %}
+/etc/pam.d/openvpn:
+  file.managed:
+    - source: salt://openvpn/ldap-auth/openvpn.pam.d
+
+/etc/ldap/ldap.conf:
+  file.managed:
+    - source: salt://openvpn/ldap-auth/ldap.conf.tmpl
+    - template: jinja
+    - context:
+      server_uri: {{ salt['pillar.get']('ldap:global:server_uri') }}
+      base_dn: {{ salt['pillar.get']('ldap:global:base_dn') }}
+      bind_dn: {{ salt['pillar.get']('ldap:openvpn:bind_dn') }}
+      bind_pw: {{ salt['pillar.get']('ldap:openvpn:bind_pw') }}
+{% else %}
+
+/etc/pam.d/openvpn:
+  file.absent
+
+/etc/ldap/ldap.conf:
+  file.absent
+{% endif %}

openvpn/ldap-auth/ldap.conf.tmpl

@@ -0,0 +1,21 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+URI	{{ server_uri }}
+BASE	{{ base_dn }}
+
+{% if bind_dn and bind_pw %}
+BINDDN {{ bind_dn }}
+BINDPW {{ bind_pw }}
+{% endif %}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	/etc/ssl/certs/ca-certificates.crt

openvpn/ldap-auth/openvpn.pam.d

@@ -0,0 +1,12 @@
+#
+# LDAP auth for OpenVPN (Salt managed)
+#
+auth		sufficien	pam_ldap.so
+auth		required	pam_deny.so
+
+account		sufficient	pam_ldap.so
+account		required	pam_deny.so
+
+session		required	pam_deny.so
+
+password	required	pam_deny.so