Openvpn-auth-ldap and multiple ldap servers

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Alex987
OpenVpn Newbie
Posts: 11
Joined: Tue Mar 07, 2017 4:08 pm

Openvpn-auth-ldap and multiple ldap servers

Post by Alex987 » Thu Apr 06, 2017 8:19 am

Hi everyone !

I did configure an OpenvPN server with a LDAP authentication using the plugin openvpn-auth-ldap.
It works fine !

Now, I want to use two LDAP servers in order to avoid a single point of failure : if one of my LDAP server is not reachable by the OpenVPN server for any reason, the OpenVPN server will use the second LDAP server.
My two LDAP servers are Active Directory servers and are synchronized.

I think I need to add an URL line in the configuration file for openvpn-auth-ldap (/etc/openvpn/auth/ldap.conf) but I don't know if it is enough...

So, does someone configure the plugin with two or more LDAP servers ?
If yes, how do you handle this point ? Does it work fine ?

Code: Select all

# My file /etc/openvpn/auth/ldap.conf

<LDAP>
	# LDAP server URL
	URL		ldap://IP_ldap1
	
	# Bind DN (If your LDAP server doesn't support anonymous binds)
	BindDN		"CN=Bind User,OU=MyOU,DC=mydomain,DC=com"

	# Bind Password
	Password	MyPasswordForBind

	# Network timeout (in seconds)
	Timeout		45 #15

</LDAP>
<Authorization>
	# Base DN
	BaseDN		"DC=mydomain,DC=com"

	# User Search Filter
	SearchFilter "(&(sAMAccountName=%u))"

	# Require Group Membership
	RequireGroup	true

	<Group>
		BaseDN		"dc=mydomain,dc=com"
		SearchFilter	"(cn=Group_OpenVPN)"
		MemberAttribute	"member"
	</Group>
</Authorization>
Top
Alex987
OpenVpn Newbie
Posts: 11
Joined: Tue Mar 07, 2017 4:08 pm

Re: Openvpn-auth-ldap and multiple ldap servers

Post by Alex987 » Thu Apr 27, 2017 1:47 pm

Well, I found this link : https://github.com/threerings/openvpn-a ... /issues/29
so I tested with this configuration :
ldap.conf
<LDAP>
# LDAP server URL
URL "ldap://IP_ldap1 ldap://IP_ldap2"

# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "CN=Bind User,OU=MyOU,DC=mydomain,DC=com"

# Bind Password
Password MyPasswordForBind

# Network timeout (in seconds)
Timeout 45 #15

</LDAP>
<Authorization>
# Base DN
BaseDN "DC=mydomain,DC=com"

# User Search Filter
SearchFilter "(&(sAMAccountName=%u))"

# Require Group Membership
RequireGroup true

<Group>
BaseDN "dc=mydomain,dc=com"
SearchFilter "(cn=Group_OpenVPN)"
MemberAttribute "member"
</Group>
</Authorization>
I did reload my OpenVPN with no error.
But when I block the access of the LDAP1 for the OpenVPN server, the OpenVPN server does not even try to connect the LDAP2 and keep up sending requests for authentication to the LDAP1.

Any idea to solve the problem ?
Top
TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Openvpn-auth-ldap and multiple ldap servers

Post by TiTex » Fri Apr 28, 2017 7:13 am

have you tried using the domain name for the LDAP URL and not the servers hostname
so let's say your ActiveDirectory domain is testing.com and you have dc01.testing.com and dc02.testing.com as domain controllers
just try using URL testing.com , see if that works
Top
Alex987
OpenVpn Newbie
Posts: 11
Joined: Tue Mar 07, 2017 4:08 pm

Re: Openvpn-auth-ldap and multiple ldap servers

Post by Alex987 » Wed May 10, 2017 8:14 am

thanks for your response :)
I solved the problem : I reduced the timeout.
I define a timeout of 10s and, with this parameter, the switch between the 2 ldap servers works well !
Top
Post Reply

Return to “Server Administration”