Page 1 of 1

Problems with using Additional LDAP Requirement

Posted: Sun Apr 04, 2021 10:24 pm
by clipper
Hello there,

so I set up a OpenVPN Access Server for our company a few months ago. All working fine. Now I wanted to use "Additional LDAP Requirement:" with the following input "memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL". I created a security group on our active directory called VPNtesting and put my username into it.

If I try the auth script by OpenVPN the following error appears:

administrator@OAS017:/usr/local/openvpn_as/scripts$ sudo ./authcli -u <myusername> -p <mypassword>
API METHOD: authenticate
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL
user : <myusername>

When I change the ad group security group setting to local, global or universal. I still get the same error message. The VPN works tho when I leave the "Additional LDAP Requirement:" blank.

So it has to be a syntax based error. Some additional info: we run a 2012 Windows Server with AD on it.

Can someone help me out here?

Re: Problems with using Additional LDAP Requirement

Posted: Tue Apr 06, 2021 7:17 am
by clipper
If I look up the security group VPNtesting in AD, under members my account shows up. But when I look up the user >properties>attribute editor>distinguishedName information of my account in our AD following is listed:

distinguishedName CN=mySurname\, myName, CN=Users, DC=IT, DC=LOCAL

So its missing the "memberOf=VPNtesting" part. I don't know how to solve this since the documentation doesn't contain any information re this and there is no post afaik re this anywhere.

Re: Problems with using Additional LDAP Requirement

Posted: Tue Apr 06, 2021 10:41 pm
by openvpn_inc
Hi There,

Can you please confirm if you have the bind DN configured properly with the Administrator account that can read the entire Directory?
Most of the time that is the problem. Also, you can check with bad credential dn. It could be that some space had been added in your CN in the credential base dn. etc...