Authenticating OpenVPN against Active Directory

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bonne
OpenVpn Newbie
Posts: 13
Joined: Sun Jun 14, 2015 8:01 am

Authenticating OpenVPN against Active Directory

Post by bonne » Thu Aug 31, 2017 4:23 am

OpenVPN on OpenBSD and Auth-LDAP.conf in place. The "LDAP"-part is working, but I cannot get the "Authorization"-part to work as I want it to work.

I would like to grant users from specific OU's access to VPN if they are member of the security group "openvpn". I think I need to know how to query SearchFilter correctly. This is my Authorization part of Auth-LDAP-conf:

<Authorization>
# Base DN
BaseDN "OU=Users,OU=MyBusiness,DC=danske-seniorer,DC=dk"


Here I would like to select one (or more) BaseDN's and include their sub DN's Can this be done?

# User Search Filter
# SearchFilter "(&(cn=%u)(accountStatus=active))"
SearchFilter "(objectClass=*)"


If I use "SearchFilter"(&(cn (or uid)=%u)(accountStatus=active))"", I am not getting authorized at all. With "SearchFilter "(objectClass=*)"" I get authenticated if I choose a BaseDN with only one object and logs on with this.


# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "OU=Somethings,OU=MyBusiness,DC=santa,DC=claus"
SearchFilter "((cn=openvpn))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>



How to do things correctly in my case?

Regards, Lars.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Authenticating OpenVPN against Active Directory

Post by TinCanTech » Thu Aug 31, 2017 12:20 pm

What version of openvpn is that ?

bonne
OpenVpn Newbie
Posts: 13
Joined: Sun Jun 14, 2015 8:01 am

Re: Authenticating OpenVPN against Active Directory

Post by bonne » Thu Aug 31, 2017 12:35 pm

2.4.1 but it is ported to OpenBSD

klanimantsi
OpenVpn Newbie
Posts: 13
Joined: Mon Sep 04, 2017 9:00 am

Re: Authenticating OpenVPN against Active Directory

Post by klanimantsi » Tue Sep 05, 2017 9:55 am

Hmm, it's 2.4.1 for sure?

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Authenticating OpenVPN against Active Directory

Post by TiTex » Wed Sep 27, 2017 3:34 pm

i think you have to ignore the group stanza , it's used for something else (at least that's how i remember it)
your filter should look something like (&(samaccountname=%u)(memberOf=CN=group_name,DC=domain,DC=lan)) , it has to return a single value so samaccountname will be equal to your AD username and also be a member of that Group , specified by it's DN
%u variable will be replaced by the entered username on the VPN connection.
The filter has to return a single record , else the authentication will fail.

check out this article for more information https://social.technet.microsoft.com/wi ... lters.aspx
or in powershell check out these help topics

Code: Select all

PS C:\> help *activedirectory*

Name                              Category  Module                    Synopsis
----                              --------  ------                    --------
about_ActiveDirectory             HelpFile                            TOPIC
about_ActiveDirectory_Filter      HelpFile                            TOPIC
about_ActiveDirectory_Identity    HelpFile                            TOPIC
about_ActiveDirectory_ObjectModel HelpFile                            TOPIC

Post Reply