Problems with using Additional LDAP Requirement

[clipper]

Hello there,

so I set up a OpenVPN Access Server for our company a few months ago. All working fine. Now I wanted to use "Additional LDAP Requirement:" with the following input "memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL". I created a security group on our active directory called VPNtesting and put my username into it.

If I try the auth script by OpenVPN the following error appears:

administrator@OAS017:/usr/local/openvpn_as/scripts$ sudo ./authcli -u <myusername> -p <mypassword>
API METHOD: authenticate
AUTH_RETURN
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL
user : <myusername>

When I change the ad group security group setting to local, global or universal. I still get the same error message. The VPN works tho when I leave the "Additional LDAP Requirement:" blank.

So it has to be a syntax based error. Some additional info: we run a 2012 Windows Server with AD on it.

Can someone help me out here?

[clipper]

If I look up the security group VPNtesting in AD, under members my account shows up. But when I look up the user >properties>attribute editor>distinguishedName information of my account in our AD following is listed:

distinguishedName CN=mySurname\, myName, CN=Users, DC=IT, DC=LOCAL

So its missing the "memberOf=VPNtesting" part. I don't know how to solve this since the documentation doesn't contain any information re this and there is no post afaik re this anywhere.

[openvpn_inc]

Hi There,

Can you please confirm if you have the bind DN configured properly with the Administrator account that can read the entire Directory?
Most of the time that is the problem. Also, you can check with bad credential dn. It could be that some space had been added in your CN in the credential base dn. etc...

Regrads,
Crowley