{"id":19375067,"url":"https://github.com/phihos/python-openvpn-ldap-auth","last_synced_at":"2025-07-19T18:08:49.917Z","repository":{"id":45428919,"uuid":"352814319","full_name":"phihos/python-openvpn-ldap-auth","owner":"phihos","description":"An auth verify script for OpenVPN to authenticate via LDAP.","archived":false,"fork":false,"pushed_at":"2025-07-07T07:54:47.000Z","size":534,"stargazers_count":4,"open_issues_count":5,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-13T19:58:28.642Z","etag":null,"topics":["ldap-authentication","mfa","openvpn"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phihos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-29T23:44:01.000Z","updated_at":"2025-04-21T19:46:25.000Z","dependencies_parsed_at":"2024-04-02T15:26:50.093Z","dependency_job_id":"83b107dc-9410-4edb-8d55-53fc5cbbc83a","html_url":"https://github.com/phihos/python-openvpn-ldap-auth","commit_stats":{"total_commits":63,"total_committers":2,"mean_commits":31.5,"dds":0.2857142857142857,"last_synced_commit":"81efaafc241429db69dffda495d8ae988f4e8a2f"},"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/phihos/python-openvpn-ldap-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phihos%2Fpython-openvpn-ldap-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phihos%2Fpython-openvpn-ldap-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phihos%2Fpython-openvpn-ldap-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phihos%2Fpython-openvpn-ldap-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phihos","download_url":"https://codeload.github.com/phihos/python-openvpn-ldap-auth/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phihos%2Fpython-openvpn-ldap-auth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265982898,"owners_count":23859576,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ldap-authentication","mfa","openvpn"],"created_at":"2024-11-10T08:36:59.765Z","updated_at":"2025-07-19T18:08:49.893Z","avatar_url":"https://github.com/phihos.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Python OpenVPN LDAP Auth\n\n[![PyPI license](https://img.shields.io/pypi/l/openvpn-ldap-auth.svg)](https://pypi.python.org/pypi/openvpn-ldap-auth/)\n[![PyPI status](https://img.shields.io/pypi/status/openvpn-ldap-auth.svg)](https://pypi.python.org/pypi/openvpn-ldap-auth/)\n[![PyPI version shields.io](https://img.shields.io/pypi/v/openvpn-ldap-auth.svg)](https://pypi.python.org/pypi/openvpn-ldap-auth/)\n[![PyPI pyversions](https://img.shields.io/pypi/pyversions/openvpn-ldap-auth.svg)](https://pypi.python.org/pypi/openvpn-ldap-auth/)\n![main build status](https://github.com/phihos/Python-OpenVPN-LDAP-Auth/actions/workflows/test.yml/badge.svg?branch=main)\n\nAn auth verify script for [OpenVPN](https://community.openvpn.net) to authenticate via LDAP. Each VPN login is\nforwarded to this script and the script in turn attempts a simple bind against the specified LDAP server. When the bind\nis successful the script returns exit code 0 telling OpenVPN that the credentials are valid.\n\nAlthough there already is the [openvpn-auth-ldap](https://github.com/threerings/openvpn-auth-ldap) plugin I felt the\nneed to write this auth script. First the source code is more accessible due to it being written in Python. Second it\noffers more possibilities regarding\nOpenVPN's [`static-challenge`](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/) parameter (see\nbelow).\n\nThe downsides of using a script instead of a C-plugin\nare [less performance and slightly reduced security](https://openvpn.net/community-resources/using-alternative-authentication-methods/).\nIf you are fine with that go ahead.\n\n## Quickstart\n\nInstall the package via pip:\n\n```shell\npip install openvpn-ldap-auth\n```\n\nThen create `/etc/openvpn/ldap.yaml`:\n\n```yaml\nldap:\n  url: 'ldaps://first.ldap.tld:636/ ldaps://second.ldap.tld:636/'\n  bind_dn: 'uid=readonly,dc=example,dc=org'\n  password: 'somesecurepassword'\n  timeout: 5 # (optional) wait this many seconds for connection and response\nauthorization:\n  base_dn: 'ou=people,dc=example,dc=org'\n  search_filter: '(uid={})' # optional, {} will be replaced with the username\n  static_challenge: 'ignore' # optional, other values are prepend, append \n```\n\nFind out where `openvpn-ldap-auth` lives:\n\n```shell\nwhich openvpn-ldap-auth\n```\n\nAdd the following line to your OpenVPN server configuration:\n\n```\nscript-security 2\nauth-user-pass-verify /path/to/openvpn-ldap-auth via-file\n```\n\nNow you can start your OpenVPN server and try to connect with a client.\n\n## Installation\n\n### Single Executable\n\nFor those who wish to [sacrifice a little more performance](https://pyinstaller.readthedocs.io/en/stable/operating-mode.html#how-the-one-file-program-works) for not having to install or compile a Python interpreter or you just want to quickly try the script out this option might be interesting.\nEach [release](https://github.com/phihos/python-openvpn-ldap-auth/releases) also has executables attached to it: *openvpn-ldap-auth-\u0026lt;distro\u0026gt;-\u0026lt;distro-version\u0026gt;-\u0026lt;arch\u0026gt;*. They are created via [PyInstaller](https://www.pyinstaller.org/) on the respective Linux distro, version and architecture. They might also work on other distros provided they use the same or a later libc version that the distro uses.\n\n**Important: /tmp must not be read only.**\n\n### From Source\n\nDownload or clone this repository, cd into it and run\n\n```shell\npip install poetry\npoetry install --without dev\npoetry build\npip install --upgrade --find-links=dist openvpn-ldap-auth\n```\n\nExchange `pip` with `pip3` if applicable.\n\n## Configuration\n\n### Static Challenge\n\nIf you want users to provide a normal password combined with a one-time-password OpenVPN's\n[`static-challenge`](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/) parameter is what you\nare looking for.\n\nIn the client configuration you need to add a line like\n\n```\nstatic-challenge \"Enter OTP\" 1 # use 0 if the OTP should not be echoed\n```\n\nWhen connecting you will now be prompted for your password and your OTP. By setting `authorization.static_challenge` you\ncan now influence how the OTP is used:\n\n- *ignore (default)*: Just use the password for binding.\n- *prepend*: Prepend the OTP to your password and use that for binding.\n- *append*: Append the OTP to your password and use that for binding.\n\nThe last two options are useful if your LDAP server offers internal 2FA validation \nlike [oath-ldap](https://oath-ldap.stroeder.com/).\n\n### Using `via-env`\n\nIn the server configuration the following alternative setting is also supported but discouraged:\n\n```\nauth-user-pass-verify /path/to/openvpn-ldap-auth via-env\n```\n\nOpenVPN's manpage about that topic:\n\n*If method is set to \"via-env\", OpenVPN will call script with the environmental variables username and password set to \nthe username/password strings provided by the client. Be aware that this method is insecure on some platforms which \nmake the environment of a process publicly visible to other unprivileged processes.*\n\nIf you still want to use `via-env` make sure to set `script-security` to `3`.\n\n## Running Tests\n\nFirst make sure to install [Docker](https://docs.docker.com/engine/install/)\nwith [docker-compose](https://docs.docker.com/compose/install/)\nand [tox](https://tox.readthedocs.io/en/latest/install.html). Then run\n\n```shell\ntox\n```\n\nTo run a specific Python-OpenVPN combination run something like\n\n```shell\ntox -e python38-openvpn25\n```\n\nTo see a full list of current environment see the `tool.tox` section in [pyproject.toml](pyproject.toml).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphihos%2Fpython-openvpn-ldap-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphihos%2Fpython-openvpn-ldap-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphihos%2Fpython-openvpn-ldap-auth/lists"}