LDAP query to authenticate a user in a child/nested group

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).
Post Reply
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 14, 2017 7:04 pm

LDAP query to authenticate a user in a child/nested group

Post by ronlevit » Tue Mar 14, 2017 7:26 pm


I have a problem configuring my server to authenticate users that are members of a nested AD group. I have a 'group1' that includes 'group2' with the user account I'm trying to authenticate.
When configured as on the example below users that are members of 'group1' are authenticated successfully but members of a nested AD group 'group2' are not.

Code: Select all

        # Base DN
        BaseDN          "OU=Users,DC=example,DC=com"

        # User Search Filter
        SearchFilter    "(sAMAccountName=%u)"

        # Require Group Membership
        RequireGroup    true

                BaseDN          "OU=Security Groups,DC=example,DC=com"
                SearchFilter    "(cn=group1)"
                MemberAttribute Member

Based on this https://msdn.microsoft.com/en-us/librar ... s.85).aspx article SearchFilter can be configured to perform recursive query that 'walks the chain of ancestry in objects' until it finds the user. However, when I configure the SearchFilter like that authentication fails completely and the server logs "TLS Auth Error: Auth Username/Password verification failed for peer" event.

Code: Select all

SearchFilter    (&(objectClass=*)(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=CN=group1,OU=Security Groups,DC=example,DC=com))
What am I doing wrong? Does anyone have an example of working config that does what I need? Any help will be much appreciated.

Post Reply