Hello there,
so I set up a OpenVPN Access Server for our company a few months ago. All working fine. Now I wanted to use "Additional LDAP Requirement:" with the following input "memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL". I created a security group on our active directory called VPNtesting and put my username into it.
If I try the auth script by OpenVPN the following error appears:
administrator@OAS017:/usr/local/openvpn_as/scripts$ sudo ./authcli -u <myusername> -p <mypassword>
API METHOD: authenticate
AUTH_RETURN
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL
user : <myusername>
When I change the ad group security group setting to local, global or universal. I still get the same error message. The VPN works tho when I leave the "Additional LDAP Requirement:" blank.
So it has to be a syntax based error. Some additional info: we run a 2012 Windows Server with AD on it.
Can someone help me out here?
Problems with using Additional LDAP Requirement
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Apr 04, 2021 9:11 pm
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Apr 04, 2021 9:11 pm
Re: Problems with using Additional LDAP Requirement
If I look up the security group VPNtesting in AD, under members my account shows up. But when I look up the user >properties>attribute editor>distinguishedName information of my account in our AD following is listed:
distinguishedName CN=mySurname\, myName, CN=Users, DC=IT, DC=LOCAL
So its missing the "memberOf=VPNtesting" part. I don't know how to solve this since the documentation doesn't contain any information re this and there is no post afaik re this anywhere.
distinguishedName CN=mySurname\, myName, CN=Users, DC=IT, DC=LOCAL
So its missing the "memberOf=VPNtesting" part. I don't know how to solve this since the documentation doesn't contain any information re this and there is no post afaik re this anywhere.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Problems with using Additional LDAP Requirement
Hi There,
Can you please confirm if you have the bind DN configured properly with the Administrator account that can read the entire Directory?
Most of the time that is the problem. Also, you can check with bad credential dn. It could be that some space had been added in your CN in the credential base dn. etc...
Regrads,
Crowley
Can you please confirm if you have the bind DN configured properly with the Administrator account that can read the entire Directory?
Most of the time that is the problem. Also, you can check with bad credential dn. It could be that some space had been added in your CN in the credential base dn. etc...
Regrads,
Crowley
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support