This topic describes how to establish an SSL-VPN connection by using the Lightweight Directory Access Protocol (LDAP) authentication feature of Identity as a Service (IDaaS).

Background information

A company has created a virtual private cloud (VPC) in the US (Silicon Valley) region. The CIDR block of the VPC is 192.168.0.0/16. Due to business requirements, staff on business trips need to access resources deployed in the VPC from remote clients.Architecture for LDAP authentication

The company has built an Active Directory (AD) system. For security purposes, the company requires that staff must pass identity authentication provided by the AD system before the staff can access resources deployed in the VPC.

You can create a VPN gateway in the cloud, configure the SSL server, enable two-factor authentication, and specify an IDaaS instance to perform LDAP authentication. Before an employee can log on to the OpenVPN client and establish an SSL-VPN connection, the employee must pass the LDAP authentication provided by the IDaaS system. The LDAP authentication sends the username and password provided by the employee to the AD system, and returns a result. Only after the employee passes the authentication, the VPN gateway establishes an SSL-VPN connection. Then, the employee can use the SSL-VPN connection to access resources deployed on the VPC.

Preparations

Before you start, make sure that the following requirements are met:
  • A Standard Edition IDaaS instance is purchased.

    In this example, a Standard Edition IDaaS instance is purchased in the Singapore (Singapore) region.

  • A VPC is created. For more information, see Work with VPCs.

    In this example, a VPC is created in the US (Silicon Valley) region and the CIDR block of the VPC is 192.168.0.0/16. The CIDR block of the Elastic Compute Service (ECS) instance is 192.168.0.0/24.

  • The public IP address and service port of the server (LDAP server) where the AD system is deployed are obtained.

    In this example, the AD system is deployed in a server that runs the Windows Server 2019 operating system. The public IP address of the LDAP server is 47.XX.XX.8 and the service port is 389.

  • The Base DN of the LDAP server is obtained.

    In this example, the Base DN of the LDAP server is dc=zxtest,dc=com.

  • The DN, username, and password of the administrator of the LDAP server are obtained.
    In this example, the administrator username is Administrator and the password is 1****2. The administrator DN is cn=Administrator,cn=Users,dc=zxtest,dc=com, as shown in the following figure.Administrator DN

Procedure

Procedure

Step 1: Enable LDAP authentication

Before you can establish an SSL-VPN connection, you must enable LDAP authentication in the IDaaS instance and synchronize Alibaba Cloud account data for further authentication.

  1. Add the LDAP authentication source.
    1. Log on to the IDaaS console..
    2. On the Instances page, find the IDaaS instance and click its ID.
    3. In the left-side navigation pane, click Authentication Sources.
    4. In the upper-right corner of the Authentication Sources page, click Add Authentication Source.
    5. On the Add Authentication Source page, find The LDAP icon and click Add Authentication Source in the Actions column.
    6. In the Add Authentication Source (LDAP) panel, set the following parameters and click Submit.
      • ID: This value is automatically generated by the system.
      • Name: Enter a custom name.
      • LDAP URL: Enter the URL of the LDAP server. The LDAP server refers to the server where the AD system is deployed. Set the value in the following format: ldap://127.0.0.1:389/. ldap://47.XX.XX.8:389/ is used in this example.

        If the server uses an IPv6 address, set the value in the following format: ldap://[0000:0000:0000:0000:0000:0000:0001]:389/.

        Note IDaaS can be accessed only over the Internet. The LDAP server must provide a public IP address and open port 389. You can configure the security group of the LDAP server to allow only the public IP address of IDaaS to access the LDAP server. For more information about the public IP address of IDaaS,submit a ticket to consult the Alibaba Cloud IDaaS team.
      • LDAP Base: Enter the Base DN of the LDAP server. dc=zxtest,dc=com is used in this example.
      • LDAP Account: Enter the administrator account DN of the LDAP server. cn=Administrator,cn=Users,dc=zxtest,dc=com is used in this example.
      • LDAP account password: Enter the password of the administrator of the LDAP server.
      • Filter Condition: Enter the filter condition used to query account names. (sAMAccountName=$username$) is used in this example.

        $username$ specifies the IDaaS username and is a fixed value.

      For more information, see LDAP as Authentication Source.
    7. On the Authentication Source page, find the authentication source, click Enable the authentication source in the Status column, and then click OK in the dialog box that appears to enable the authentication source.
  2. Synchronize the LDAP account configurations by importing the account data of the LDAP server to the IDaaS system.
    1. In the left-side navigation pane, click Organizations and Groups.
    2. In the upper-right corner of the Organizations and Groups page, click Configure LDAP. In the Configure LDAP panel, click Create.
    3. On the Server Connection tab of the Configure LDAP panel, set the following parameters and click Save.
      • AD/LDAP Name: Enter a custom name.
      • Server Address: Enter the public IP address of the LDAP server. 47.XX.XX.8 is used in this example.
      • Port Number: Enter the number of the port used by the LDAP server to provide services. 389 is used in this example.
      • Base DN: Enter the node DN of the account with which you want to synchronize. dc=zxtest,dc=com is used in this example.
        Note If Base DN is changed when IDaaS is synchronizing data with the LDAP or AD server, the system may fail to synchronize data due to unmatched organization directories. Therefore, do not modify Base DN after you set it. If you want to synchronize data with more than one directory, we recommend that you configure LDAP multiple times.
      • Administrator DN: Enter the administrator DN. cn=Administrator,cn=Users,dc=zxtest,dc=com is used in this example.
      • Password: Enter the password of the administrator.
      • Select Type: Select the type of your LDAP server. Windows AD is selected in this example.
      • Owned OU node: Select the IDaaS organization node to which account data is imported. If you ignore this parameter, data is imported to the root organization unit (OU). This parameter is ignored in this example.
      • From LDAP to IDaaS: If you select Enable, you can manually synchronize data from the LDAP server to the IDaaS system. Enable is selected in this example.
      • Provision from IDaaS to LDAP: If you select Enable, data from the IDaaS system can be automatically synchronized to the LDAP server. Enable is selected in this example.

      After you set the preceding parameters, you can click Connection to test the connectivity. If the test fails, check the network connectivity and whether the parameters are correctly set.

    4. On the Field Matching Rules tab of the Configure LDAP panel, set the following parameters and click Save.
      Field matching rules are used to match the fields of the IDaaS system with the attributes of the LDAP server. For example, the cn field of the LDAP server corresponds to the username of the IDaaS system.
      • Username: cn is used in this example.
        Note If the value of the cn field is set in Chinese in the AD system, the field cannot be matched with the IDaaS system. We recommend that you use the sAMAccountName field.
      • External ID: If the type of the LDAP server is Windows AD, enter objectGUID. If the type of the LDAP server is OpenLdap, enter uid. objectGUID is used in this example.
      • Password Attribute: If the type of the LDAP server is Windows AD, enter unicodePwd. If the type of the LDAP server is OpenLdap, enter userPassword. unicodePwd is used in this example.
      • User Unique Identifier: If the type of the LDAP server is Windows AD, enter DistinguishedName. If the type of the LDAP server is OpenLdap, enter EntryDN. DistinguishedName is used in this example.
      • Email: mail is used in this example.
      For more information, see LDAP Provision Configuration.
    5. On the OUs and Groups page, choose Import > LDAP > OU.
    6. In the LDAP list panel, find the LDAP and click Import. In the dialog box that appears, click OK. In the OU Temporary Data panel, confirm the organization information and click Confirm Import.
    7. In the OUs section of the current page, select the OU. In the OU details section, choose Import > LDAP > Account.
    8. In the LDAP List panel, find the LDAP and click Import. In the dialog box that appears, click OK. In the Account Temporary Data LDAP List panel, confirm the account information and click Confirm Import to synchronize the account information from the LDAP server to the IDaaS system.
  3. Enable LDAP authentication for cloud services.
    1. In the left-side navigation pane, choose Settings > Security Settings.
    2. On the Security Settings page, click the Cloud Product AD Authentication tab.
    3. Select the LDAP authentication source that you created, enable this feature, and then click Save.
      The authentication source

Step 2: Deploy SSL-VPN

After you enable LDAP authentication, you can deploy SSL-VPN, enable two-factor authentication for SSL-VPN, and associate the IDaaS instance. Then, you can establish an SSL-VPN connection after you pass the LDAP authentication.

  1. Creates a VPN gateway.
    1. Log on to the VPN Gateways console.
    2. In the left-side navigation pane, choose VPN > VPN Gateways.
    3. On the VPN Gateways page, click Create VPN Gateway.
    4. On the buy page, set the following parameters and click Buy Now to complete the payment:
      • Name: Enter a name for the VPN gateway.
      • Region:Select the region where you want to deploy the VPN gateway. US (Silicon Valley) is selected in this example.
        Note Make sure that the VPN gateway and VPC are deployed in the same region.
      • VPC:Select the VPC to be associated with the VPN gateway.
      • Specify vSwitch: Specify whether to create the VPN gateway within a vSwitch of the VPC. No is selected in this example.

        If you select Yes, you must also specify a vSwitch.

      • Peak Bandwidth: Specify the maximum bandwidth for the VPN gateway. The bandwidth is used for data transfer over the Internet. 10 Mbit/s is selected in this example.
      • Traffic: Pay-by-data-transfer is selected by default. For more information, see Pay-as-you-go.
      • IPsec-VPN: You can enable or disable the IPsec-VPN feature. After you enable this feature, you can establish connections between a data center and a VPC or between two VPCs. Disable is selected in this example.
      • SSL-VPN: You can enable or disable the SSL-VPN feature. After you enable this feature, you can connect to the VPC from a client regardless of the location. Enable is selected in this example.
      • SSL connections: Select the maximum number of concurrent SSL-VPN connections. 5 is selected in this example.
        Note You can set this parameter only when the SSL-VPN feature is enabled.
      • Duration: By default, VPN gateways are billed on an hourly basis.
  2. Create an SSL server.
    1. In the left-side navigation pane, choose VPN > SSL Servers.
    2. In the top navigation bar, select the region where you want to create the SSL server.
      US (Silicon Valley) is selected in this example.
    3. On the SSL Servers page, click Create SSL Server.
    4. In the Create SSL Server panel, set the following parameters and click OK.
      Enable two-factor authentication
      • Name: Enter a name for the SSL server.

        The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      • VPN Gateway: Select the VPN gateway you created.
      • Local Network: Enter the CIDR block to be accessed by the client over the SSL-VPN connection. 192.168.0.0/24 is used in this example.
      • Client Subnet: Enter a CIDR block that the client uses when the client is connected to the SSL server. 10.0.0.0/24 is used in this example.
      • Advanced Configuration: Enable advanced configurations and set the following parameters.
        • Protocol: Select the protocol for the SSL-VPN connection. Valid values: UDP and TCP. The default value UDP is used in this example.
        • Port: Enter the port number used in the SSL-VPN connection. The default value 1194 is used in this example.
        • Encryption Algorithm: The encryption algorithm used in the SSL-VPN connection. Supported encryption algorithms include AES-128-CBC, AES-192-CBC, and AES-256-CBC. The default algorithm AES-128-CBC is used in this example.
        • Enable Compression: Specify whether to compress the transmitted data. The default settings No is selected in this example.
        • Two-factor Authentication: Enable two-factor authentication and select an IDaaS instance.
          • IDaaS Instance Region: Select the region where the IDaaS instance is deployed. Singapore (Singapore) is selected in this example.
          • IDaaS Instance: Select the IDaaS instance.
          Note If this is your first time using two-factor authentication, you must authorize the VPN gateway to access the IDaaS instance before you create the SSL server.
  3. Create and download an SSL client certificate.
    1. In the left-side navigation pane, choose VPN > SSL Clients.
    2. In the top navigation bar, select the region where the SSL client is deployed.
      US (Silicon Valley) is selected in this example.
    3. On the SSL Clients page, click Create Client Certificate.
    4. In the Create Client Certificate panel, set the following parameters and click OK.
      • Name: Enter a name for the SSL client certificate.

        The name must be 2 to 128 characters in length and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

      • SSL Server: Select the SSL server that you created.
    5. On the SSL Clients page, find the SSL client certificate and click Download in the Actions column.
      The SSL client certificate is downloaded to your on-premises machine.

Step 3: Configure the client

Perform the following operations to configure the client:

  1. If you use a Windows client, perform the following steps:
    1. Download and install the OpenVPN client.
      Download OpenVPN.
    2. Extract and copy the downloaded SSL client certificate to the OpenVPN\config directory.
      In this example, the certificate is copied to C:\Program Files\OpenVPN\config. You must copy the certificate to the directory where the OpenVPN client is installed.
    3. Start the OpenVPN client and enter the username and password for authentication.
      LDAP client authentication
  2. If you use a Linux client, perform the following steps:
    1. Run the following command to install the OpenVPN client:
      yum install -y openvpn
    2. Extract and copy the downloaded SSL client certificate to the /etc/openvpn/conf/ directory.
    3. Run the following command to start the OpenVPN client and enter the username and password for authentication.
      openvpn --config /etc/openvpn/conf/config.ovpn --daemon
      Start OpenVPN
  3. If you use a Mac client, perform the following steps:
    1. Run the following command to install the OpenVPN client:
      brew install openvpn
      Note If Homebrew is not installed, install Homebrew first.
    2. Run the following command to delete the default configuration file:
      rm /usr/local/etc/openvpn/*
    3. Run the following command to copy the file to the configuration directory:
      cp cert_location /usr/local/etc/openvpn/

      In the preceding command, replace cert_location with the directory where the SSL client certificate is downloaded. For example, /Users/example/Downloads/certs.zip.

    4. Run the following command to extract the certificate that is downloaded in Step c and copy it to the directory where the OpenVPN client is installed:
      cd  /usr/local/etc/openvpn
      unzip /usr/local/etc/openvpn/certs.zip
    5. Run the following command to establish a connection and enter the username and password for authentication.
      sudo /usr/local/opt/openvpn/sbin/openvpn --config /usr/local/etc/openvpn/config.ovpn
      Two-factor authentication for Mac clients

Step 4: Test the connectivity

After you complete the preceding steps, you can run the ping command to test the connectivity between the client and VPC. A Windows client is used in the following example to describe how to test the connectivity between the client and the VPC.

  1. Open the command prompt in the Windows client.
  2. Run the ping command to ping the IP address of the ECS instance deployed in the VPC. This command tests the connectivity between the Windows client and VPC.
    Note Make sure that the security group rules of the ECS instance allow remote access from the Windows client. For more information, see Scenarios for security groupsConfiguration guide for ECS security groups.
    The test result shows that the Windows client can access the ECS instance.Test the connectivity