LDAP configuration in SRX Dynamic VPN

I am writing in this post how we can configure our openldap server in a linux system and let dynamic VPN users in SRX authenticate through it. As installing ldap isn’t covered in this post, please check your Linux distribution’s documentation. My test system involves the following components and path names may change depending on your Linux distribution:

Gentoo Linux
SRX 210 Junos 10.4R10.7
Openldap 2.4.30

Let’s start with LDAP configuration in Linux

LDAP Configuration

1) Make sure following schema are enabled in /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

2) Create a file name neworg.ldif with the following content

dn: dc=example,dc=net
objectClass: organization
objectClass: top
objectClass: dcObject
dc: example
o: MyCompany

WARNING: I assume your suffix variable is also set to “dc=example,dc=net” in your slapd.conf

3) Add your organization into ldap via the following command.

ldapadd -x -W -D "cn=Manager,dc=example,dc=net" -f neworg.ldif

Note: Make sure you replace “cn=Manager,dc=example,dc=net” with your rootdn to login properly.

4) Create the following file with the name srx_user.ldif

dn: uid=genco, dc=example, dc=net
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
objectclass: posixAccount
uid: genco
uidNumber: 500
gidNumber: 500
homeDirectory: /home/genco
userPassword: test123
loginShell: /bin/bash
cn: Genco
sn: test sn

5) Add the new user we have in srx_user.ldif file as below;

ldapadd -x -W -D "cn=Manager,dc=example,dc=net" -f srx_user.ldif

Now we should have a working user configuration in LDAP if you haven’t received any error so far.

Check if you can query your user in LDAP via ;

ldapsearch -x -W -D "cn=Manager,dc=example,dc=net" -b "uid=genco,dc=example,dc=net"

If you see the user you have just added, it should be ok.

SRX LDAP Configuration

Below I am sharing my current working access profile configuration in SRX. I have tested and it is working. I am not adding entire dynamic vpn configuration as the purpose of this post is to show how SRX and LDAP can be integrated in dynamic VPN. If you want to take a look at https://rtodto.net/2011/08/09/dynamic-vpn-in-srx/

set access profile ldap-usr-profile authentication-order ldap
set access profile ldap-usr-profile address-assignment pool engpool
set access profile ldap-usr-profile ldap-options base-distinguished-name dc=example,dc=net
set access profile ldap-usr-profile ldap-options search search-filter uid=
set access profile ldap-usr-profile ldap-options search admin-search distinguished-name CN=Manager,dc=example,dc=net
set access profile ldap-usr-profile ldap-options search admin-search password "$9$EpzhyKx3xXxdws4EcxdbsJZ36/AO1hSr"
set access profile ldap-usr-profile ldap-server 172.16.1.1 port 389
set access address-assignment pool engpool family inet network 192.168.200.0/24
set access address-assignment pool engpool family inet range range1 low 192.168.200.40
set access address-assignment pool engpool family inet range range1 high 192.168.200.100
set access address-assignment pool engpool family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool engpool family inet xauth-attributes secondary-dns 4.3.2.1/32
set access firewall-authentication web-authentication default-profile ldap-usr-profile

After this configuration, dynamic vpn user named “genco” should be able to log into the system with the password registered in “userPassword” field in his ldap entry.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.