Problems authenticating openvpn users via openldap

This forum is for general conversation and user-user networking.
Post Reply
joshcole
OpenVpn Newbie
Posts: 19
Joined: Mon Oct 10, 2011 5:08 pm

Problems authenticating openvpn users via openldap

Post by joshcole » Tue Oct 11, 2011 4:14 am

I am an openvpn newb. I installed openvpn and openldap and want our users to authenticate against active directory in order to gain access to the VPN. I am attempting to replace our cisco vpn concentrator which is out of warranty and has become unreliable. I will include my configs and errors that I am encountering. If anyone is willing to take a look and offer some direction it would be much appreciated.

I am using phpldapadmin to test the authentication piece and am getting an error, it's reporting that it cannot contact the DC. I would like to start here and once I can get this working, move on to other errors that may exist in my configs. Thank you for taking a look!

contents of auth-ldap.conf

root@vpn:/etc/openvpn/auth# cat auth-ldap.conf
<LDAP>
# LDAP server URL
URL ldap://172.16.1.70

# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
BindDN cn=vpnauth,ou=users,dc=mydomain,dc=local
# Bind Password
# Password SecretPassword
Password <secret>
# Network timeout (in seconds)
Timeout 15

# Enable Start TLS
TLSEnable yes

# Follow LDAP Referrals (anonymously)
FollowReferrals yes

# TLS CA Certificate File
TLSCACertFile /etc/openvpn/dh1024.pem

# TLS CA Certificate Directory
TLSCACertDir /etc/openvpn

# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /etc/openvpn/easy-rsa/keys/ca.pem
TLSKeyFile /etc/openvpn/easy-rsa/keys/dh1024.pem

# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
# Base DN
BaseDN "dc=mydomain,dc=local"

# User Search Filter
SearchFilter "(accountStatus=active)"

# Require Group Membership
RequireGroup true

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "ou=_FPU_Groups,dc=mydomain,dc=local"
SearchFilter "(|(cn=_VPN))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>

User avatar
Mimiko
Forum Team
Posts: 1568
Joined: Wed Sep 22, 2010 3:18 am

Re: Problems authenticating openvpn users via openldap

Post by Mimiko » Tue Oct 11, 2011 5:17 am

I will suggest first resolve ldap connection on OpenLDAP forum and support. It's not an OpenVPN issue. First thing, don't use php for testing ldap. Use OpenLDAP included tools. In this case you will eliminate phpldapadmin configuration issues.

Post Reply