Authenticating OpenVPN against Active Directory
Posted: Thu Aug 31, 2017 4:23 am
OpenVPN on OpenBSD and Auth-LDAP.conf in place. The "LDAP"-part is working, but I cannot get the "Authorization"-part to work as I want it to work.
I would like to grant users from specific OU's access to VPN if they are member of the security group "openvpn". I think I need to know how to query SearchFilter correctly. This is my Authorization part of Auth-LDAP-conf:
<Authorization>
# Base DN
BaseDN "OU=Users,OU=MyBusiness,DC=danske-seniorer,DC=dk"
Here I would like to select one (or more) BaseDN's and include their sub DN's Can this be done?
# User Search Filter
# SearchFilter "(&(cn=%u)(accountStatus=active))"
SearchFilter "(objectClass=*)"
If I use "SearchFilter"(&(cn (or uid)=%u)(accountStatus=active))"", I am not getting authorized at all. With "SearchFilter "(objectClass=*)"" I get authenticated if I choose a BaseDN with only one object and logs on with this.
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "OU=Somethings,OU=MyBusiness,DC=santa,DC=claus"
SearchFilter "((cn=openvpn))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
How to do things correctly in my case?
Regards, Lars.
I would like to grant users from specific OU's access to VPN if they are member of the security group "openvpn". I think I need to know how to query SearchFilter correctly. This is my Authorization part of Auth-LDAP-conf:
<Authorization>
# Base DN
BaseDN "OU=Users,OU=MyBusiness,DC=danske-seniorer,DC=dk"
Here I would like to select one (or more) BaseDN's and include their sub DN's Can this be done?
# User Search Filter
# SearchFilter "(&(cn=%u)(accountStatus=active))"
SearchFilter "(objectClass=*)"
If I use "SearchFilter"(&(cn (or uid)=%u)(accountStatus=active))"", I am not getting authorized at all. With "SearchFilter "(objectClass=*)"" I get authenticated if I choose a BaseDN with only one object and logs on with this.
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "OU=Somethings,OU=MyBusiness,DC=santa,DC=claus"
SearchFilter "((cn=openvpn))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
How to do things correctly in my case?
Regards, Lars.