OpenVPN Support Forum

OpenVPN on OpenBSD and Auth-LDAP.conf in place. The "LDAP"-part is working, but I cannot get the "Authorization"-part to work as I want it to work.

I would like to grant users from specific OU's access to VPN if they are member of the security group "openvpn". I think I need to know how to query SearchFilter correctly. This is my Authorization part of Auth-LDAP-conf:

<Authorization>
# Base DN
BaseDN "OU=Users,OU=MyBusiness,DC=danske-seniorer,DC=dk"

Here I would like to select one (or more) BaseDN's and include their sub DN's Can this be done?

# User Search Filter
# SearchFilter "(&(cn=%u)(accountStatus=active))"
SearchFilter "(objectClass=*)"

If I use "SearchFilter"(&(cn (or uid)=%u)(accountStatus=active))"", I am not getting authorized at all. With "SearchFilter "(objectClass=*)"" I get authenticated if I choose a BaseDN with only one object and logs on with this.


# Require Group Membership
RequireGroup false

# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users

<Group>
BaseDN "OU=Somethings,OU=MyBusiness,DC=santa,DC=claus"
SearchFilter "((cn=openvpn))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>


How to do things correctly in my case?

Regards, Lars.

What version of openvpn is that ?

2.4.1 but it is ported to OpenBSD

Hmm, it's 2.4.1 for sure?

i think you have to ignore the group stanza , it's used for something else (at least that's how i remember it)
your filter should look something like (&(samaccountname=%u)(memberOf=CN=group_name,DC=domain,DC=lan)) , it has to return a single value so samaccountname will be equal to your AD username and also be a member of that Group , specified by it's DN
%u variable will be replaced by the entered username on the VPN connection.
The filter has to return a single record , else the authentication will fail.

check out this article for more information https://social.technet.microsoft.com/wi ... lters.aspx
or in powershell check out these help topics