Greetings everyone,
My OpenVPN server has been collecting dust for a while as I've been working from home and have not had need to leverage it.
I have the server configured to use Google 2FA, LDAP and an additional LDAP requirement.
I had everything working when I last tested it about 16 months ago, however some point between then and now the Additional LDAP Requirement stopped working and I'm unable to sign in.
Attempting to sign in via auth CLI throws an error like this.
API METHOD: authenticate
AUTH_RETURN
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=OpenVPNUsers,CN=Users,DC=XX,DC=XXXX,DC=XXX
user : xxxx.xxxxx
Authentication does work if I blank out the Additional LDAP Requirement: (Advanced) line
As a (Shitty) test I temporarily made the bind account a member of the Domain Admins group, and sure enough it was able to successfully auth, which tells me that this is something permission related preventing the group membership from being read, perhaps related to a Microsoft patch installed on the DCs.
I'm currently running OpenVPN Access server v2.8.5
What specific permissions should I delegate to the bind account?
AD permissions required for LDAP Bind account?
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 02, 2022 8:19 pm
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: AD permissions required for LDAP Bind account?
Hello Kiyomaka,
The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.
Kind regards,
Johan
The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sun Jan 02, 2022 8:19 pm
Re: AD permissions required for LDAP Bind account?
Would i be installing ldap tools on the Microsoft AD Domain Controller or the OpenVPN server itself?openvpn_inc wrote: ↑Sun Jan 02, 2022 11:12 pmHello Kiyomaka,
The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.
Kind regards,
Johan
By enumerate do you mean it should have enough access to view the properties and attributes of the user accounts signing into OpenVPN and any associated group dependencies?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: AD permissions required for LDAP Bind account?
Hello kiyomaka,
The ldaptools package can be installed on a Linux system, like on Access Server itself. You don't specifically have to use that one. There are also other tools that can let you browse an LDAP directory.
You would need to be able to list users and some of their attributes yes.
This page I Googled might be helpful to get you going with ldapsearch, which is part of ldaptools:
https://www.seei.biz/using-ldapsearch-t ... directory/
Kind regards,
Johan
The ldaptools package can be installed on a Linux system, like on Access Server itself. You don't specifically have to use that one. There are also other tools that can let you browse an LDAP directory.
You would need to be able to list users and some of their attributes yes.
This page I Googled might be helpful to get you going with ldapsearch, which is part of ldaptools:
https://www.seei.biz/using-ldapsearch-t ... directory/
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support